Andreas Kupries
Andreas Kupries
## Summary Able to reproduce the issue in 2.8.2, using a local (`RKE2 Embedded`) downstream cluster (Not Digital Ocean). Issue looks to be in namespace deletion itself, and project deletion...
Quoting a piece from SURE-5702 which did not make it here > I suspect that the Rancher UI is validating that the RoleTemplate is created properly. > That validation should...
Reading more the verb check is in `Admit` itself, and not the `validate...` functions.
The verb check is done via `CheckForVerbs`, in the common support for validators. It seems to me that an analogous `CheckForAPIGroups` should do what is wanted.
A bit more from SURE about reproduction > One note that wasn't on the issue - you need to bind a user to the impacted role template in a project...
Ok. Repro succesful: > 2024/01/26 13:17:14 [ERROR] error syncing 'p-p2nxh/prtb-cz899': handler cluster-prtb-sync: couldn't ensure roles: couldn't create clusterRole test-gh-40584-role: ClusterRole.rbac.authorization.k8s.io "test-gh-40584-role" is invalid: rules[0].apiGroups: Required value: resource rules must supply...
Fix with custom code (`CheckForAPIGroups` analogous to `CheckForVerbs`) is successful: > work@tagetarl:~/SUSE/dev/Rancher> __k apply -f 40584-roletemplate.yaml__ > Error from server (BadRequest): error when creating "40584-roletemplate.yaml": admission webhook "rancher.cattle.io.roletemplates.management.cattle.io" denied the...
Fix with a change to the CRD is successful: > work@tagetarl:~/SUSE/dev/Rancher> k apply -f 40584-roletemplate.yaml kubectl apply -f 40584-roletemplate.yaml The RoleTemplate "test-gh-40584-role" is invalid: rules[0].apiGroups: Invalid value: 0: rules[0].apiGroups in...
With both possible fixes working I have questions: 1. For one, which of the two is prefered ? a. Code change, or b. CRD change 2. If the second, then...
From comms in slack thread, by @MbolotSuse - The source for the role template CRD can be found here: https://github.com/rancher/rancher/blob/abc87f5240fd6799b3f485106638f967373a736c/pkg/apis/management.cattle.io/v3/authz_types.go#L216 - After editing that file you should use go generate...