cluster-api-provider-cloudstack icon indicating copy to clipboard operation
cluster-api-provider-cloudstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Support CloudStack normal user account

Open rohityadavcloud opened this issue 2 years ago • 7 comments
trafficstars

/kind feature

Describe the solution you'd like

While this is documented at https://cluster-api-cloudstack.sigs.k8s.io/topics/cloudstack-permissions I would prefer if I can use CAPC as a normal user account without any issues for support network models such as shared network, vpc and isolated network.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

  • Cluster-api-provider-cloudstack version:
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):

rohityadavcloud avatar Aug 04 '23 16:08 rohityadavcloud

This is possibly already not an issue with ACS 4.18.1 and above that allows end-users to select a public IP in shared network etc. Needs testing, if it's already addressed we close this and update the docs/website; otherwise move this to the next v0.5.0 milestone.

rohityadavcloud avatar Sep 20 '23 06:09 rohityadavcloud

Moving to v0.5.0 since this is a new feature and we are only prioritizing vital bugfixes for v0.4.9

g-gaston avatar Nov 01 '23 21:11 g-gaston

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 31 '24 15:01 k8s-triage-robot

cc @kiranchavala @vishesh92 @weizhouapache to advise if this is still applicable/relevant? Or can a normal user account also use CAPC without any issues?

rohityadavcloud avatar Mar 22 '24 14:03 rohityadavcloud

cc @kiranchavala @vishesh92 @weizhouapache to advise if this is still applicable/relevant? Or can a normal user account also use CAPC without any issues?

@rohityadavcloud I will do a quick testing and update you

weizhouapache avatar Mar 22 '24 14:03 weizhouapache

  • No issue when deploy capc cluster as a domain admin

  • Failed to deploy capc cluster as regular user

E0322 14:54:15.732481 1 controller.go:326] "msg"="Reconciler error" "error"="parsing ACSEndpoint secret with ref: {cloudstack-credentials-user default}: resolving account ACSUser details: resolving domain details: CloudStack API error 432 (CSExceptionErrorCode: 9999): The API [listDomains] does not exist or is not available for the account Account [{\"accountName\":\"ACSUser\",\"id\":4,\"uuid\":\"d744ea6d-45ca-4b4f-aee7-1b057d5ccb8f\"}]." "cloudStackFailureDomain"={"name":"590ec016fd8ebae981d65adf1e7306e8","namespace":"default"} "controller"="cloudstackfailuredomain" "controllerGroup"="infrastructure.cluster.x-k8s.io" "controllerKind"="CloudStackFailureDomain" "name"="590ec016fd8ebae981d65adf1e7306e8" "namespace"="default" "reconcileID"="da10e689-dda1-495e-af9e-a0c0e71d8a8f"

the fix seems simple. cc @rohityadavcloud @vishesh92

weizhouapache avatar Mar 22 '24 18:03 weizhouapache

it has been mentioned in https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/blob/main/docs/book/src/topics/cloudstack-permissions.md

The account that CAPC runs under must minimally be a Domain Admin type account with a role offering the following permissions

weizhouapache avatar Mar 25 '24 07:03 weizhouapache