docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon dapr

Create documentation for AKS that states RBAC is necessary

Open DarqueWarrior opened this issue 4 years ago • 5 comments

I created a K8s cluster that did not have RBAC enabled and the dapr-sidecar-injector was in an infinite (CrashLoopBackOff) loop. The documentation states Dapr will work in any cluster. That is not accurate. Not sure if the answer is to simply update the docs to make it clear that RBAC is required or make Dapr work in any cluster.

DarqueWarrior avatar Feb 12 '21 18:02 DarqueWarrior

Moving to docs

yaron2 avatar Feb 12 '21 18:02 yaron2

@yaron2 is the guidance to create documentation that states RBAC is a pre-requisite for an AKS cluster?

AaronCrawfis avatar Mar 01 '21 19:03 AaronCrawfis

@yaron2 why is RBAC a requirement? Seems like this is a bug unless RBAC is required

AaronCrawfis avatar Jul 06 '21 22:07 AaronCrawfis

I have the same issues, my AKS cluster doesn't have RBAC enable and the sidecar injects fails with error:

Unable to get SA deployment-controller UID (serviceaccounts \"deployment-controller\" not found)" "Unable to get SA cronjob-controller UID (serviceaccounts \"cronjob-controller\" not found)" "Unable to get SA job-controller UID (serviceaccounts \"job-controller\" not found)" "Unable to get SA statefulset-controller UID (serviceaccounts \"statefulset-controller\" not found)",

Any recommendation to solve this issue ?

thinkbigdatanalytics avatar Sep 01 '21 15:09 thinkbigdatanalytics

RBAC is required for Dapr. The reason is due to a security issue with the Kubernetes API server not authorizing itself with the sidecar injector in a non-RBAC cluster, opening the door to malicious actors in the cluster potentially injecting Dapr sidecars.

yaron2 avatar Sep 01 '21 18:09 yaron2

This is specified in the Azure docs, will add as a pre-req to Dapr docs

hhunter-ms avatar Jul 13 '23 17:07 hhunter-ms