helm-controller icon indicating copy to clipboard operation
helm-controller copied to clipboard
verified publisher icon Kubedex

setup helm controller to use a rolebinding

Open sacreman opened this issue 6 years ago • 1 comments

Currently we use a clusterrolebinding and clusterrole.

We tried using a normal role and it fails on:

E0930 13:42:08.780111       1 reflector.go:134] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:95: Failed to list *v1.ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:test:helm-controller-hazzi" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

sacreman avatar Sep 30 '19 13:09 sacreman

The controller creates clusterrole and clusterrolebiding that is required for helm job https://github.com/Kubedex/helm-controller/blob/master/pkg/controller/helmchart/helmchart_controller.go#L128

For per namespace deployments we could modify the controller to use a role and rolebinding. Since this is changing the overall behaviour of how controller operates. We can have a feature flag to switch between keeping clusterrolebinding as the default. This is something we can prioritize.

gamunu avatar Oct 09 '19 16:10 gamunu