open-match icon indicating copy to clipboard operation
open-match copied to clipboard

Published 20 hours ago verified publisher icon googleforgames

Cluster level admin access required to deploy OM

Open knolev opened this issue 3 years ago • 3 comments

Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: podsecuritypolicies.policy "kepler-demo-open-match-redis-podsecuritypolicy" is forbidden: User "[email protected]" cannot get resource "podsecuritypolicies" in API group "policy" at the cluster scope helm.go:81: [debug] podsecuritypolicies.policy "kepler-demo-open-match-redis-podsecuritypolicy" is forbidden: User "[email protected]" cannot get resource "podsecuritypolicies" in API group "policy" at the cluster scope could not get information about the resource

knolev avatar Jul 20 '21 06:07 knolev

User "[email protected]" cannot get resource "podsecuritypolicies" in API group "policy" at the cluster scope could not get information about the resource

Weird, you do not have even GET rights, ask to setup RBAC for your user to have wider credentials.

Why you name GET rights to be ADMIN?

I see that

  resourceNames:
  - open-match-redis-podsecuritypolicy
  verbs:
  - use

Not sure why OM needs use, may be read is enough so.

dzmitry-lahoda avatar Oct 02 '21 20:10 dzmitry-lahoda

Would be great to have possibility to turn off resources that need verbs: ["use"] or possibility to turn off service-account template. Because I don't have permissions using it too in my k8s. Also would be great to have possibility to turn off podsecuritypolicy.yaml cause I don't need another one and it's under admins control.

RedShiba avatar Jan 10 '22 15:01 RedShiba

@RedShiba Pod Security Policy is being deprecated (see #1449) and we are in the process of migrating to Pod Security Admission (hopefully) by the next release.

@knolev it's some time and wondering if you were able to resolve this before we begin migration. If there are any findings that may influence some things prior to the migration we would appreciate a PR. If not, we will begin looking into the migration and seeing if we can resolve there. We also have no reproduction steps to test so if you have any we'd gladly take them.

syntxerror avatar Aug 02 '22 15:08 syntxerror

closing due to staleness and likelihood the podsecuritypolicy.yaml will be deleted in the future

syntxerror avatar Sep 26 '22 15:09 syntxerror