kubedock icon indicating copy to clipboard operation
kubedock copied to clipboard

Published 20 hours ago verified publisher icon joyrex2001

ConfigMaps are fetch even if no option for them

Open sneko opened this issue 3 years ago • 3 comments
trafficstars

Hi @joyrex2001 ,

According to the minimum RBAC provided in the README.md it seems no call for ConfigMap should be done by default.

But when running the image I get this kind of errors:

E0808 17:00:59.867275 1 main.go:83] error cleaning k8s containers: configmaps is forbidden: User "system:serviceaccount:XXXXX:YYYYYY" cannot list resource "configmaps" in API group "" in the namespace "XXXXX"

Should I give this rule too? Or does kubedock should change this?

Thank you,

sneko avatar Aug 08 '22 17:08 sneko

Ah, this is an oversight in the cleaning. Configmaps are only used when --pre-archive or --lock are used, the reaper is unaware of this and tries to clean these as well. Easiest solution is to enable the rbac for configmaps as well.

joyrex2001 avatar Aug 09 '22 10:08 joyrex2001

@joyrex2001 on my side here is the minimum rules needed to run kubedock with no error in logs (with default settings):

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: testcontainers
  namespace: jenkins
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["create", "get", "list", "delete"]
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["list", "get"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["create", "get", "list", "delete"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["list"]
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["list"]
## optional permissions (depending on kubedock use)
# - apiGroups: ["batch"]
#   resources: ["jobs"]
#   verbs: ["create", "get", "list", "delete"]
# - apiGroups: [""]
#   resources: ["configmaps"]
#   verbs: ["create", "get", "list", "delete"]
# - apiGroups: ["coordination.k8s.io"]
#   resources: ["leases"]
#   verbs: ["create", "get", "list", "delete"]

Note modifications on "pod/exec.create" "services.delete" "configmaps.list" and "jobs.list"

sneko avatar Aug 09 '22 10:08 sneko

Thanks, I updated the documentation accordingly.

joyrex2001 avatar Aug 09 '22 19:08 joyrex2001

Closing this issue.

Added the create, get, list and delete verbs back into the rbac documentation.

Kubedock will use configmaps for --pre-archive, but also in case of a single file bindings; e.g.: .withFileSystemBind("./src/test/resources/nginx.conf", "/etc/nginx/conf.d/default.conf", BindMode.READ_ONLY), and because of that the recommended default should include all verbs.

joyrex2001 avatar Sep 06 '23 18:09 joyrex2001