From d1d409b3745923d86cb4fde32e5b015ddd361388 Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Mon, 29 Jan 2018 15:15:40 +0000 Subject: [PATCH] Update RBAC rules for Armada API We are getting the following errors [0] while using the Armada Client to execute 'Armada Apply' This patch set is meant to grant watch/get/list rights to armada-api [0] Error messages: armada.exceptions.api_exceptions.ClientError: Error - received 500: {"message": "Failed to apply manifest: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'X-Content-Type-Options': 'nosniff', 'Content-Length': '243', 'Content-Type': 'application/json', 'Date': 'Sat, 27 Jan 2018 19:26:09 GMT'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\\\"system:serviceaccount:ucp:armada-api\\\\\" cannot watch pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\\n'\n", "type": "error", "retry": false} Change-Id: I71c23021c08fc4c79f2f33d71c140e23987160fe --- charts/armada/templates/deployment-api.yaml | 31 +++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml index b8f2e337..e2b18e77 100644 --- a/charts/armada/templates/deployment-api.yaml +++ b/charts/armada/templates/deployment-api.yaml @@ -22,6 +22,37 @@ limitations under the License. {{- $serviceAccountName := "armada-api" }} {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: armada-api-runner +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-armada-api +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: armada-api-runner + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apps/v1beta1 kind: Deployment metadata: