You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a platform team, we want to provide Chaos-Mesh as a service to our developer teams with limited privileges.
But we noticed that if a user wants to create a ChaosNetwork-Delay, not only do they need permissions in the their namespace, but also in the other related namespace as well even though its a one-way experiment (from backend-test namespace to some-other-namespace-managed-by-other-team). Otherwise experiment request is denied by the auth validation webhook and webhook is checking for create/update privileges for all chaos-mesh resources on both namespaces I guess.
error message
error.api.internal_server_error: admission webhook "vauth.kb.io" denied the request: <user> is forbidden on namespace ingress-nginx
But lets say for ChaosNetwork-Delay experiment; isn't it enough to define for only create/update priv on podnetworkchaos.chaos-mesh.org resource for the spec.target.selector.namespaces (in that case it is ingress-nginx namespace) ? We observed chaos-daemon logs and chaos-mesh events in the both namespaces; and as far as we see on the ingress-nginx namespace it only creates and updates the podnetworkchaos.chaos-mesh.org resource.
giving the following priv. to the user in ingress-nginx namespace solves this validation webhook problem (since admission webhooks are applied in lexical order; maybe we saw last failed one)
But we want to give the following because we want to allow only one direction networkchaos experiment; but it gives the webhook error that I shared above
What did you expect to see?
if possible; to be able to allow only one direction networkchaos experiment between two different namespaces; and do not give users more privileges for the target namespace. What did you see instead?
If we want to perform some networkchaos experiment between two namespaces (only for one direction); we have to have same privileges on both namespaces. Output of chaosctl
This discussion was converted from issue #4269 on November 28, 2023 14:09.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Bug Report
What version of Kubernetes are you using?
v1.25.10What version of Chaos Mesh are you using?
v2.6.2What did you do? / Minimal Reproducible Example
As a platform team, we want to provide Chaos-Mesh as a service to our developer teams with limited privileges.
But we noticed that if a user wants to create a ChaosNetwork-Delay, not only do they need permissions in the their namespace, but also in the other related namespace as well even though its a one-way experiment (from
backend-test
namespace tosome-other-namespace-managed-by-other-team
). Otherwise experiment request is denied by the auth validation webhook and webhook is checking forcreate/update
privileges for all chaos-mesh resources on both namespaces I guess.error message
But lets say for ChaosNetwork-Delay experiment; isn't it enough to define for only
create/update
priv onpodnetworkchaos.chaos-mesh.org
resource for thespec.target.selector.namespaces
(in that case it isingress-nginx
namespace) ? We observed chaos-daemon logs and chaos-mesh events in the both namespaces; and as far as we see on the ingress-nginx namespace it only creates and updates thepodnetworkchaos.chaos-mesh.org
resource.NetworkChaos experiment -->
giving the following priv. to the user in ingress-nginx namespace solves this validation webhook problem (since admission webhooks are applied in lexical order; maybe we saw last failed one)
But we want to give the following because we want to allow only one direction networkchaos experiment; but it gives the webhook error that I shared above
What did you expect to see?
if possible; to be able to allow only one direction networkchaos experiment between two different namespaces; and do not give users more privileges for the target namespace.
What did you see instead?
If we want to perform some networkchaos experiment between two namespaces (only for one direction); we have to have same privileges on both namespaces.
Output of chaosctl
Beta Was this translation helpful? Give feedback.
All reactions