Permission to create namespaces through RBAC. However, the error report does not have permission #4397
Comments
|
It's clearly configured here, but I feel like the permissions don't work |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
What version of Kubernetes are you using?
[root@devops-jenkins-slave01 chaos-mesh]# kubectl version --short
Client Version: v1.14.10
Server Version: v1.18.8-aliyun.1
What version of Chaos Mesh are you using?
https://charts.chaos-mesh.org/chaos-mesh-2.6.2.tgz
What did you do? / Minimal Reproducible Example
helm3 install chaos-mesh chaos-mesh/ -n chaos-mesh --set images.registry=amway-devops-registry-vpc.cn-shenzhen.cr.aliyuncs.com
--set imagePullSecrets[0].name=docker-secret
--set controllerManager.image.repository=devops/chaos-mesh
--set chaosDaemon.image.repository=devops/chaos-daemon
--set dashboard.image.repository=devops/chaos-dashboard
--set dnsServer.image=amway-devops-registry-vpc.cn-shenzhen.cr.aliyuncs.com/devops/chaos-coredns:v0.2.6
--set dashboard.env.TTL_EVENT=240h
--set dashboard.env.TTL_EXPERIMENT=720h
--set dashboard.env.DATABASE_DRIVER=mysql
--set dashboard.env.DATABASE_DATASOURCE='chaos_admin:QWRtaW5AMTIz@tcp(rm-wz94jcure76r1438j.mysql.rds.aliyuncs.com:3306)/chao-mesh?parseTime=true'
--set chaosDaemon.env.DOCKER_API_VERSION=1.39
--set chaosDaemon.resources.limits.cpu=500m
--set chaosDaemon.resources.limits.memory=1024Mi
--set dashboard.resources.limits.cpu=500m
--set dashboard.resources.limits.memory=1024Mi
--set controllerManager.resources.limits.cpu=500m
--set controllerManager.resources.limits.memory=1024Mi
--set controllerManager.enableFilterNamespace=true
RBAC Profiles
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: super-app
name: account-super-app-manager-mhktq
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: super-app
name: role-super-app-manager-mhktq
rules:
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
resources: [ "*" ]
verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bind-super-app-manager-mhktq
namespace: super-app
subjects:
name: account-super-app-manager-mhktq
namespace: super-app
roleRef:
kind: Role
name: role-super-app-manager-mhktq
apiGroup: rbac.authorization.k8s.io
Apply the secert of this rbac, but the console error does not have permissions
The following error message is displayed
error.api.no_cluster_privilege: jvmchaos.chaos-mesh.org is forbidden: User "system:serviceaccount:super-app:account-super-app-manager-mhktq" cannot list resource "jvmchaos" in API group "chaos-mesh.org" at the cluster scope
error.api.no_cluster_privilege: schedules.chaos-mesh.org is forbidden: User "system:serviceaccount:super-app:account-super-app-manager-mhktq" cannot list resource "schedules" in API group "chaos-mesh.org" at the cluster scopeerror.api.no_cluster_privilege: workflows.chaos-mesh.org is forbidden: User "system:serviceaccount:super-app:account-super-app-manager-mhktq" cannot list resource "workflows" in API group "chaos-mesh.org" at the cluster scope
error.api.no_cluster_privilege: can't list resource in the cluster
The purpose is to control permissions through RBAC and only allow work under a specific namespace. But what to do when you encounter this problem
The text was updated successfully, but these errors were encountered: