MCP Service Account: forbidden to grant Crossplane RBAC permissions #21
Description
What happened:
In the development environment, there is the issue that RBAC permissions for Crossplane can not be applied with the Service Account that got created by the openmcp-operator.
It seems that Crossplane needs cluster-admin privileges to install certain resources. The ServiceAccount that Flux uses to install Crossplane on the MCP has the following ClusterRoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
gardener.clusters.openmcp.cloud/managed-by-name: mcp-ikvo63bktcwpu4awol7g2vnyoyenaox4clgqwm55s2xufwak6c7a
gardener.clusters.openmcp.cloud/managed-by-namespace: ob-default
name: openmcp:h6accw642gog4yrpcyljiykktt7d7e27morlg6wloxskxc6mcrwa:0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openmcp:h6accw642gog4yrpcyljiykktt7d7e27morlg6wloxskxc6mcrwa:0
subjects:
- kind: ServiceAccount
name: h6accw642gog4yrpcyljiykktt7d7e27morlg6wloxskxc6mcrwa
namespace: accessrequestsFYI: This does not happen when using the local development environment by using cluster-provider-kind. That's because the with cluster-provider-kind the controller will get the cluster-admin kubeconfig returned.
What you expected to happen:
In the a production-like environment as well as in a local environment using cluster-provider-kind the flow should be the same.
The Service Account should have the necessary permissions to create all Crossplane-related resources.
How to reproduce it (as minimally and precisely as possible):
tbd
Anything else we need to know:
NONE
Environment:
Development environment