tofu-controller icon indicating copy to clipboard operation
tofu-controller copied to clipboard
verified publisher icon flux-iac

BranchPlanner cant create terraform resources in kubernetes (RC4)

Open hirenko-v opened this issue 1 year ago • 2 comments

Hi Team. Seems like we have missing permissions in RC4 for branch-planner as it can't create terraform under the hood.

In RC3 we had ClusterRoleBinding that allows to do anything on the cluster https://github.com/flux-iac/tofu-controller/blob/v0.16.0-rc.3/charts/tf-controller/templates/rbac.yaml#L166

It is removed in rc4 but we have nothing to allows branch-planner to create terraform resources. It uses tf-controller service account.

hirenko-v avatar Mar 25 '24 14:03 hirenko-v

AFAICT, there was a PR to scope down the RBAC to make things safer.

@yitsushi not sure if you could help point out what we would need here for the branch planner permissions?

chanwit avatar Mar 25 '24 17:03 chanwit

I think we need a create here: https://github.com/flux-iac/tofu-controller/pull/1099/files#diff-35334ce6e696c8dbc46c93b3ca840ece2918e87e5a6f517244f9bbad4d3ff651R53-R61

The PR went through as it says "for the reconciler", but in reality, branch planner uses the same service account. So I guess the proper solution would be to create a separate role set and use that for branch planner. For example the branch planner don't have to be able to create or patch finalizers, not even list them.

yitsushi avatar Mar 25 '24 20:03 yitsushi