keel icon indicating copy to clipboard operation
keel copied to clipboard

Published 20 hours ago verified publisher icon keel-hq

Unable to restrict keel to specific namespace

Open sasanknvs opened this issue 4 years ago • 2 comments

With the default set up keel monitors all the objects in all the namespaces. But I want to restrict that to a specific namespace. I tried to restrict by changing the Clusterrole and clusterrolebinding to Role and Rolebinding, but when modified this it is not showing anything in the admin dashboard.

Can you anyone help out with this ?

sasanknvs avatar Dec 15 '20 13:12 sasanknvs

@sasanknvs There is actually no filtering done in Keel regarding which namespace to watch for Deployments, Daemonsets and so on.

As you guessed, one should indeed rely on Using RBAC Authorization.

From what you said, I suspect that your are missing something, in between. You cannot just move both Clusterrole (resp.ClusterRoleBinding) to Role (resp. RoleBinding) as-is. In order for Keel (or any other component) to list namespaced resources (with relevant Role and RoleBinding) it still needs to have access to namespaces resources, so I suggest you to still keep

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keel
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - watch
      - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: keel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: keel
subjects:
  - kind: ServiceAccount
    name: keel
    namespace: keel

nbendafi-yseop avatar Jan 27 '21 14:01 nbendafi-yseop

https://github.com/keel-hq/keel/pull/614 This was merged recently and may be relevant to this issue.

johnsushant avatar Jun 25 '21 04:06 johnsushant