You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR: Chicken-and-Egg problem with RBAC - the Cloudbuilder account can't create roles anew or modify them; the result is that when we want to change up RBAC policies we have to manually deploy them first with my (rrodrigu at mit.edu)'s account. Otherwise, we get an error like this:
Step #7 - "deploy-to-cluster": Error from server (Forbidden): error when creating "kubernetes/manifests/production/rbac.authorization.k8s.io_v1_role_production-deployment-statefulset-reader.yaml": roles.rbac.authorization.k8s.io is forbidden: User "[email protected]" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "default": Required "container.roles.create" permission.
Narrative
As a cluster manager for lookit, I want to be able to deploy changes to RBAC without having to go through
Acceptance Criteria
No "forbidden" errors when deploying RBAC changes through the CI/CD pipeline
Implementation Notes
Need something like so: gcb-cluster-manager-binding.yaml
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:
name: gcb-cluster-manager-bindingsubjects:
# Cloud IAM service account
- kind: Username: [email protected]roleRef:
kind: Rolename: build-executorapiGroup: rbac.authorization.k8s.io
TL;DR: Chicken-and-Egg problem with RBAC - the Cloudbuilder account can't create roles anew or modify them; the result is that when we want to change up RBAC policies we have to manually deploy them first with my (rrodrigu at mit.edu)'s account. Otherwise, we get an error like this:
Narrative
As a cluster manager for lookit, I want to be able to deploy changes to RBAC without having to go through
Acceptance Criteria
Implementation Notes
Need something like so:
gcb-cluster-manager-binding.yaml
cluster-manager-role.yaml
But we may need to add other bits to the SA - it's hard to tell what perms are being granted by gcloud and which are granted by kubernetes itself.
The text was updated successfully, but these errors were encountered: