Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC rules needed for running as pod/daemonset #25

Closed
dims opened this issue Mar 22, 2018 · 3 comments · Fixed by #55
Closed

RBAC rules needed for running as pod/daemonset #25

dims opened this issue Mar 22, 2018 · 3 comments · Fixed by #55

Comments

@dims
Copy link
Member

dims commented Mar 22, 2018

From @dims on January 15, 2018 20:0

hack we can use for now is ... we need a better way

# Hack for RBAC for all for the new cloud-controller process, we need to do better than this
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin-1 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:pvl-controller kube-system-cluster-admin-2 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-node-controller kube-system-cluster-admin-3 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-controller-manager kube-system-cluster-admin-4 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:shared-informers kube-system-cluster-admin-5 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:kube-controller-manager  kube-system-cluster-admin-6 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:attachdetach-controller kube-system-cluster-admin-7 --clusterrole cluster-admin
cluster/kubectl.sh set subject clusterrolebinding system:node --group=system:nodes

Copied from original issue: dims/openstack-cloud-controller-manager#12
@dims
Copy link
Member Author

dims commented Mar 22, 2018

From @arthur0 on January 31, 2018 13:31

I would like work on it.

@dims
Copy link
Member Author

dims commented Mar 22, 2018

The following logs are from openstack-cloud-controller-manager

   1552  nodes is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list nodes at the cluster scope
   1552  persistentvolumes is forbidden: User "system:serviceaccount:kube-system:pvl-controller" cannot list persistentvolumes at the cluster scope
   1552  services is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list services at the cluster scope
    317 serviceaccount:kube-system:cloud-node-controller" cannot list nodes at the cluster scope

@dims
Copy link
Member Author

dims commented Mar 22, 2018

getting the ball rolling here - kubernetes/kubernetes#59945

This was referenced Mar 27, 2018
Merged
Closed
@frapposelli frapposelli mentioned this issue Jun 20, 2018
Closed
Fedosin pushed a commit to Fedosin/cloud-provider-openstack that referenced this issue Sep 7, 2020
@openshift-merge-robot
Merge pull request kubernetes#25 from Fedosin/fetch_upstream
acded22 
Fetch latest changes from upstream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

RBAC info for external cloud provider / CCM dims/cloud-provider-openstack
1 participant
@dims