litmus icon indicating copy to clipboard operation
litmus copied to clipboard

Published 20 hours ago verified publisher icon litmuschaos

Missing RBAC on ater a new helm installation

Open yogeek opened this issue 3 years ago • 5 comments

As explained in this Slack conversation, after installing litmus-chaos from the helm chart (helm install chaos litmuschaos/litmus --namespace=litmus --create-namespace), and checking that all pods are running, loging into the UI, and waiting for the agent to be ready but it never happens because the pod workflow-controller is failing with this error :

level=fatal msg="Failed to register watch for controller config map: configmaps \"workflow-controller-configmap\" is forbidden: User \"system:serviceaccount:litmus:argo\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"litmus\""

And when I look at the chart in github, I do not see argo serviceaccount...

The logs of the worflow confirms a problem with RBAC :

2021/11/22 12:49:28 clusterrolebindings.rbac.authorization.k8s.io "argo-binding" is forbidden: user "system:serviceaccount:litmus:litmus-server-account" (groups=["system:serviceaccounts" "system:serviceaccounts:litmus" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["persistentvolumeclaims"], Verbs:["get"]}

------------------------------------------------------------------------------------------------------------------------------------------------------------------
2021/11/22 12:49:33 SOME MANIFESTS HAS NOT BEEN INSTALLED:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-cluster-role
subjects:
  - kind: ServiceAccount
    name: argo
    namespace: litmus

And after adding the missing part manually ("get" permission for "persistentvolume" to the clusterrole and creating argo-binding ClusterRoleBinding), all pods become running and I can start creating workflow successfully

yogeek avatar Nov 23 '21 17:11 yogeek

cc: @Jonsy13

uditgaurav avatar Dec 14 '21 07:12 uditgaurav

Are there any updates here? we also encountered a similar error - as if some part of the RBAC was missing

BledaiOld avatar Jan 26 '22 20:01 BledaiOld

+1

Deepak1100 avatar May 04 '22 07:05 Deepak1100

ClusterRoleBinding missed from a working setup all of a sudden. As mentioned in @yogeek post, after re-applying the ClusterRoleBinding for argo, workflow controller started working again..


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-cluster-role
subjects:
  - kind: ServiceAccount
    name: argo
    namespace: litmus

sravanthnag avatar May 05 '22 09:05 sravanthnag

Hi @sravanthnag @Deepak1100 @Bledai Can we get some setup details like k8s version, ChaosCenter version as well as would like to know If it was fresh install or upgrade.

Jonsy13 avatar May 05 '22 10:05 Jonsy13

Hi, were you able to resolve this issue?

neelanjan00 avatar Oct 18 '22 13:10 neelanjan00