Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't define users with helm install permissions for a specific namespace #463

Open
2 tasks done
shlomiarfa opened this issue Apr 9, 2024 · 1 comment
Open
2 tasks done

Can't define users with helm install permissions for a specific namespace #463

shlomiarfa opened this issue Apr 9, 2024 · 1 comment
Labels
bug Something isn't working triage This bug needs triage

Comments

@shlomiarfa
Copy link

shlomiarfa commented Apr 9, 2024
edited

What happened?

I am trying to setup a user that will have permissions to run Helm install/upgrade/delete on a specific namespace. (For my CI/CD system.)
For example, if the user tries to run a helm upgrade --install with --namespace=dev then it works just fine. But if they try --namespace=prod it should fail.

however, i couldn’t make it work with rbac-manager and getting error that the user need higher priviledges
error message is: "cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope"

This is the setup im using:

- name: dev-user
    subjects:
      - kind: User
        name: dev@example.com
    clusterRoleBindings:
      - clusterRole: edit
    roleBindings:
      - clusterRole: admin
        namespaceSelector:
          matchExpressions:
            - { key: team, operator: In, values: [ dev] }

if i change in clusterRoleBindings clusterRole to: cluster-admin, it works, but no restriction to a specific namespace.
command can run on any namespace

What did you expect to happen?

helm upgrade/install runs ok on namespace with label "dev"
helm upgrade/install fails on namespace with label "prod"

How can we reproduce this?

helm install awx-operator awx-operator/awx-operator -n dev-namespace
Error: INSTALLATION FAILED: failed to install CRD crds/customresourcedefinition-awxbackups.awx.ansible.com.yaml: 1 error occurred:
* customresourcedefinitions.apiextensions.k8s.io is forbidden: User "dev@example.com" cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

Version

awx-operator/awx-operator

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response
@shlomiarfa shlomiarfa added bug Something isn't working triage This bug needs triage labels Apr 9, 2024
@shlomiarfa shlomiarfa changed the title Cant define users with helm install previlded Can't define users with helm install privilege with Rbac-Manager Apr 9, 2024
@shlomiarfa shlomiarfa changed the title Can't define users with helm install privilege with Rbac-Manager Can't define users with helm install privilege Apr 9, 2024
@shlomiarfa shlomiarfa changed the title Can't define users with helm install privilege Can't define users with helm install permissions for specific namespace Apr 9, 2024
@shlomiarfa shlomiarfa changed the title Can't define users with helm install permissions for specific namespace Can't define users with helm install permissions for a specific namespace Apr 9, 2024
@sudermanjr
Copy link
Member

The issue here isn't rbac-manager, but plain RBAC. To install that chart, apparently the user needs the ability to create apiextensions, and the edit role that you're providing doesn't have that access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage This bug needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sudermanjr @shlomiarfa