Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to auto-setup RBAC when create OperandRequest in a namespace other than the default one #712

Open
morningspace opened this issue Jul 17, 2021 · 1 comment
Open

How to auto-setup RBAC when create OperandRequest in a namespace other than the default one #712

morningspace opened this issue Jul 17, 2021 · 1 comment
Assignees
@Daniel-Fan
Labels
kind/bug Something isn't working

Comments

@morningspace
Copy link

/kind bug

What steps did you take and what happened:
By following the docs, all operators and operands along w/ the OperandRequest objects will be deployed in the odlm namespace.

I was trying to install those stuff to another namespace, then figured out that the below settings need to be modified at first:

apiVersion: v1
data:
  namespaces: odlm,default
kind: ConfigMap
metadata:
  name: odlm-scope
  namespace: odlm

As above, I append a second namespace (default) after odlm. Apart from that, I found that I have to manually apply some RBAC settings, otherwise, ODLM will report error, such as:

E0717 09:13:32.918450       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.Subscription: failed to list *v1alpha1.Subscription: subscriptions.operators.coreos.com is forbidden: User "system:serviceaccount:odlm:operand-deployment-lifecycle-manager" cannot list resource "subscriptions" in API group "operators.coreos.com" in the namespace "default"

What did you expect to happen:

Is there a way to setup RBAC automatically when create OperandRequest in a namespace other than the default one?

Environment:

  • ODLM version: latest
  • Minikube/KIND/OCP version: kind v0.12.0-alpha+718ede73045ce3
  • Kubernetes version: (use kubectl version): v1.21.2
  • OS (e.g. from /etc/os-release): RHEL
@ibm-ci-bot ibm-ci-bot added the kind/bug Something isn't working label Jul 17, 2021
@Daniel-Fan
Copy link
Contributor

Daniel-Fan commented Jul 17, 2021
edited
Loading

Hi @morningspace

If we directly deploy ODLM by following this doc here, ODLM does not have enough permission to automatically extend its RBAC to other namespaces.

There are two ways to do that.

  1. Install the foundational services operator including ODLM by following this docs here on OCP. those operators will coordinate with each other to manage the RBAC. Therefore, when you create ODLM's resources in other namespace. It will extend the permission of ODLM to that specific namespace.

  2. Still deploy ODLM alone on Kubernetes, but this time we will manually grant the ODLM the cluster permission to manage all the resources. I will update the docs here later, indicating how to deploy ODLM in cluster scope which could easily deploy resources in other namespace by ODLM.

@Daniel-Fan Daniel-Fan self-assigned this Jul 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Daniel-Fan Daniel-Fan

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@morningspace @Daniel-Fan @ibm-ci-bot