Capacitor with namespace scope

[blezoray]

Hello,

I try to deploy Capacitor on a Openshift cluster, as enduser, with only a namespace scope. For that, I replaced the ClusterRole/ClusterRoleBinding by Role/RoleBinding. I also remove some pod security context:

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          #runAsGroup: 101
          runAsNonRoot: true
          #runAsUser: 100
          seccompProfile:
            type: RuntimeDefault

But, when Capacitor pod starts, It generates a lot of logs because it tries get resources at cluster scope:

W1129 13:26:32.502906       1 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list *v1.Event: events is forbidden: User "system:serviceaccount:ubly7356-free:capacitor" cannot list resource "events" in API group "" at the cluster scope
E1129 13:26:32.503107       1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: Failed to watch *v1.Event: failed to list *v1.Event: events is forbidden: User \"system:serviceaccount:ubly7356-free:capacitor\" cannot list resource \"events\" in API group \"\" at the cluster scope" logger="UnhandledError"
W1129 13:26:39.349203       1 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ubly7356-free:capacitor" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E1129 13:26:39.349281       1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:ubly7356-free:capacitor\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope" logger="UnhandledError"
W1129 13:26:47.580034       1 reflector.go:561] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:ubly7356-free:capacitor" cannot list resource "pods" in API group "" at the cluster scope
E1129 13:26:47.580089       1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:243: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:ubly7356-free:capacitor\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError"

Is it possible to add an feature in order to specify the namespace scope ?

Rgds, Bruno.

[wombat]

I didn´t make it work with a namespace scope but this is what I used to make it run at all on Openshift:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: capacitor
  namespace: flux-system
spec:
  targetNamespace: flux-system
  interval: 1h
  retryInterval: 2m
  timeout: 5m
  wait: true
  prune: true
  path: "./"
  sourceRef:
    kind: OCIRepository
    name: capacitor
  patches:
    - patch: |
        apiVersion: apps/v1
        kind: Deployment
        metadata:
          name: all
        spec:
          template:
            spec:
              securityContext:
                $patch: delete
              containers:
                - name: capacitor
                  securityContext:
                    runAsUser: null
                    seccompProfile:
                      $patch: delete
      target:
        kind: Deployment
        name: capacitor
        namespace: flux-system

[laszlocph]

Closing as development continues on the Capacitor Next code tree.

Next respects Kubernetes RBAC.