Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClusterRole & ClusterRoleBindings for istio-csr #224

Open
ravikumar1907 opened this issue Dec 6, 2023 · 0 comments
Open

ClusterRole & ClusterRoleBindings for istio-csr #224

ravikumar1907 opened this issue Dec 6, 2023 · 0 comments

Comments

@ravikumar1907
Copy link

It is always required to have clusterrole and clusterrolebinding for certi-manager-istio-csr deployment. I tried to convert clusterrole and clusterrolebindings into role and rolebinding to have istio-csr per namespace. But things are not working as expected.

Role Rules:
rules:

  • apiGroups:
    • cert-manager.io
      resources:
    • certificaterequests
      verbs:
    • get
    • list
    • create
    • update
    • delete
    • watch
  • apiGroups:
    • ""
      resources:
    • events
      verbs:
    • create
  • apiGroups:
    • ""
      resources:
    • configmaps
      verbs:
    • get
    • list
    • create
    • update
    • watch
  • apiGroups:
    • ""
      resources:
    • namespaces
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • authentication.k8s.io
      resources:
    • tokenreviews
      verbs:
    • create

name: ns1-istio-csr
namespace: ns1
resourceVersion: "3964"
uid: d8f7fa1b-ef26-4726-80fd-d66bcccf7071
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ns1-istio-csr
subjects:

  • kind: ServiceAccount
    name: ns1-istio-csr
    namespace: ns1
  • kind: ServiceAccount
    name: ns1-istio-csr
    namespace: istio-system

istio-csr arguments adjusted to namespace as below

controller

      - "--leader-election-namespace=ns1"
      - "--configmap-namespace-selector=kubernetes.io/metadata.name=ns1"

cert-manager

      - "--certificate-namespace=ns1"
      - "--issuer-name=istio-ca"
      - "--issuer-kind=Issuer"
      - "--issuer-group=cert-manager.io"
      - "--preserve-certificate-requests=false"

Associated a service account : ns1:ns1-istio-csr to istio-csr pod , but still getting below errors. Could someone help me to fix this issue w/0 cluster scoped roles and rolebindings

m:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:13.077264Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:13.077374Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:13.077402Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:14.250575Z info klog Listing and watching *v1.PartialObjectMetadata from pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229
2023-12-06T11:56:14.251608Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:14.251680Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:14.314131Z info klog Listing and watching *v1.Namespace from pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229
2023-12-06T11:56:14.316292Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:14.316690Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
@ravikumar1907 ravikumar1907 changed the title Cluster & ClusterRoleBindings for istio-csr ClusterRole & ClusterRoleBindings for istio-csr Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ravikumar1907