[stable/nginx-ingress] namespace scoped installation not longer possible because of Bugfix #9636 #11033
Comments
|
The latest chart version 1.3.1 still has this problem - after #9636, the scoped deployment can no longer be finished without having authorization for cluster role deployments, which defies the purpose of having scoped deployment in the first place. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
Well there hasn't been much activity on this issue from the Helm charts side, so just as a followup, this seems to have been fixed upstream in kubernetes/ingress-nginx#3887 Therefore, the cluster level roles added in #9636 should not be needed anymore and everything can get back to normal. |
stale
bot
removed
the
lifecycle/stale
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
This issue is being automatically closed due to inactivity. |
Version of Helm and Kubernetes:
Client: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
Kubernetes version 1.11
Which chart:
stable/nginx-ingress
What happened:
I tried to install the nginx-ingress controller namespaced, where helm is also restricted to this namespace and does not have permissions to create cluster roles and cluster role bindings.
Error: release event-gateway-nginx failed: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:event-gateway:tiller" cannot create clusterroles.rbac.authorization.k8s.io at the cluster scope
#9636 introduced a cluster role and cluster role binding for a scoped nginx ingress. This prohibits installing nginx-ingress in a rbac enabled cluster where the helm service account is also limited to a certain namespace.
What you expected to happen:
I expected that the installation of nginx-ingress when scoped doesn't need a service account which has cluster admin rights
How to reproduce it (as minimally and precisely as possible):
install a tiller with a service account scoped to one namespace
install the stable/nginx ingress controller
Anything else we need to know:
The text was updated successfully, but these errors were encountered: