emissary icon indicating copy to clipboard operation
emissary copied to clipboard

Published 20 hours ago verified publisher icon emissary-ingress

RBAC missing "leases" resource permission when deployed via Helm chart

Open icicimov opened this issue 2 years ago • 3 comments

Describe the bug Missing permission in the <release-name>-watch ClusterRole that aggregates into the <release-name> ClusterRole resulting in the following error:

E0913 06:47:26.961146 26 leaderelection.go:325] error retrieving resource lock ambassador/acmeclient: leases.coordination.k8s.io "acmeclient" is forbidden: User "system:serviceaccount:ambassador:ambassador" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "ambassador"

To Reproduce I deployed the latest edge-stack Helm Chart v8.1.1 and am seeing the error.

Expected behavior Probably something like:

  - apiGroups: ["coordination.k8s.io"]
    resources: [ "leases" ]
    verbs: ["get", "list", "watch", ...]

is missing here https://github.com/emissary-ingress/emissary/blob/0e0bd6a5ec6cf639b2ee751086e9bddc37baf150/charts/emissary-ingress/templates/rbac.yaml#L73

Versions (please complete the following information):

  • Ambassador: 3.1.0 and emissary 8.1.0 as deployed by edge-stack Helm Chart v8.1.1
  • Kubernetes environment: EKS
  • Version: 1.22

Additional context Also see related Slack message here https://datawire-oss.slack.com/archives/CAULN7S76/p1663059200084969?thread_ts=1661860310.300609&cid=CAULN7S76

icicimov avatar Sep 14 '22 01:09 icicimov