Update RBAC rules for Armada API
We are getting the following errors [0] while using the Armada Client to execute 'Armada Apply' This patch set is meant to grant watch/get/list rights to armada-api [0] Error messages: armada.exceptions.api_exceptions.ClientError: Error - received 500: {"message": "Failed to apply manifest: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'X-Content-Type-Options': 'nosniff', 'Content-Length': '243', 'Content-Type': 'application/json', 'Date': 'Sat, 27 Jan 2018 19:26:09 GMT'})\nHTTP response body: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\\\"system:serviceaccount:ucp:armada-api\\\\\" cannot watch pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\\n'\n", "type": "error", "retry": false} Change-Id: I71c23021c08fc4c79f2f33d71c140e23987160fe
This commit is contained in:
parent
146cf2f9e6
commit
d1d409b374
|
@ -22,6 +22,37 @@ limitations under the License.
|
|||
{{- $serviceAccountName := "armada-api" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: armada-api-runner
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
- nodes/proxy
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: run-armada-api
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: armada-api-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
|
Loading…
Reference in New Issue