Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

composable manager has no rights to view or create resources #104

Open
lhriley opened this issue Feb 28, 2023 · 2 comments · May be fixed by #105
Open

composable manager has no rights to view or create resources #104

lhriley opened this issue Feb 28, 2023 · 2 comments · May be fixed by #105
Labels
question Further information is requested

Comments

@lhriley
Copy link
Contributor

lhriley commented Feb 28, 2023

Get fails:

{"level":"error","ts":1677612553.3451736,"logger":"controller.composable","msg":"Reconciler error","reconciler group":"ibmcloud.ibm.com","reconciler kind":"Composable","name":"foo","namespace":"default","error":"redisinstances.redis.cnrm.cloud.google.com \"foo\" is forbidden: User \"system:serviceaccount:composable-system:composable-controller-manager\" cannot get resource \"redisinstances\" in API group \"redis.cnrm.cloud.google.com\" in the namespace \"default\", Error finding an object reference","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"}

Create fails:

{"level":"error","ts":1677615673.8247418,"logger":"controller.composable","msg":"Reconciler error","reconciler group":"ibmcloud.ibm.com","reconciler kind":"Composable","name":"foo","namespace":"default","error":"services is forbidden: User \"system:serviceaccount:composable-system:composable-controller-manager\" cannot create resource \"services\" in API group \"\" in the namespace \"default\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"}
@lhriley lhriley linked a pull request Feb 28, 2023 that will close this issue
Open
@xvzf xvzf added the question Further information is requested label Apr 11, 2023
@xvzf
Copy link
Member

xvzf commented Apr 11, 2023

Hey @lhriley

First of all, thx a lot for your contributions!

As stated here, #105 (comment): Opening up the access for composable-operator introduces quite a few side-channel attack vectors, limiting the security of the cluster.

I'd suggest we introduce a new kustomize target, that patches in cluster wide access, so it's an explicit choice by the user rather than an implicit catch-all

@lhriley
Copy link
Contributor Author

lhriley commented Apr 11, 2023

I think that's a fair proposal. I mentioned in my reply on the PR comment about a middle ground "opt-in" approach where the end user can make the decision via values.yaml rather than have to incorporate kustomize into a workflow when they might not be using it already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ISSUE-104 - Allow composable-manager to elevated permissions Labelbox/composable-operator
2 participants
@xvzf @lhriley