-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot preview RBAC resources when user is not a cluster admin #2962
Comments
Hi @ChristianRaoulis, this is a known issue with the v3 Chart resource, specifically #2227. We're currently working on a v4 Chart which will address this and many other issues #2847 -- please stay tuned! |
I would suggest using Even if roles were created before bindings, the role wouldn't actually exist during preview and so the preview logic would need to be special-cased. Typically, Kubernetes accepts Update: I am able to repro the issue when I use a non-admin account. Here's how: # admin.yaml - grant 'admin' role to 'myuser' in 'default' namespace, to be able to create bindings.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myuser-default-admin
namespace: default
subjects:
- kind: User
name: myuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io # rabbitmq.yaml - grant 'foobar' role (non-existent) to 'rabbitmq' in 'default' namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rabbitmq-foobar
namespace: default
subjects:
- kind: ServiceAccount
name: rabbitmq
namespace: default
roleRef:
kind: ClusterRole
name: foobar
apiGroup: rbac.authorization.k8s.io
|
helm.v3.Chart
creates RoleBinding
before Role
helm.v3.Chart
cannot preview RBAC resources when user is not a cluster admin
helm.v3.Chart
cannot preview RBAC resources when user is not a cluster admin
I see two possible improvements here:
|
@ChristianRaoulis I notice that the resource URN has an unusual value:
It seems like a |
Is there a time horizon when Chart V4 will be usable? Days, weeks, months? |
Thank you :)
Confirmed 👍
I passed the namespace to the chart using the |
@ChristianRaoulis the new Chart v4 resource is ready for beta testing if you'd like to try it out! Feel free to reach out via email (in my GH profile) or in the Pulumi community Slack if that's something you're interested in. |
I do not think that Chart v4 will solve this issue, because the problem isn't related to ordering, it is due to the special case behavior of |
I can confirm that. I ran into the role not found error again but this time with a role that i create myself in the same preview. const role = new Role('role', {
metadata: {
name: 'service-account-role',
namespace: namespace.metadata.name,
},
rules: [
{
apiGroups: [""],
resources: [
"secrets",
],
verbs: [
"get",
"update",
],
},
],
});
const serviceAccount = new ServiceAccount("service-account", {
metadata: {
name: "service1",
namespace: namespace.metadata.name,
},
});
const roleBinding = new RoleBinding('role-binding', {
metadata: {
name: 'role-binding',
namespace: namespace.metadata.name,
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "Role",
name: role.metadata.name,
},
subjects: [
{
kind: "ServiceAccount",
name: serviceAccount.metadata.name,
},
],
}, {parent: serviceAccount}); Is there any workaround i could use for now? |
What happened?
I'm trying to deploy the RabbitMQ Helm Chart of Bitnami using the
helm.v3.Chart
class but for some reason pulumi tried to create aRoleBinding
before the isRole
created.Relevant log from
pulumi preview
:Example
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: