Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloudbuilder account can't create new roles #2

Open
1 task
Datamance opened this issue Apr 21, 2020 · 0 comments
Open
1 task

Cloudbuilder account can't create new roles #2

Datamance opened this issue Apr 21, 2020 · 0 comments
Assignees
Labels
bug Something isn't working

Comments

@Datamance
Copy link
Contributor

Datamance commented Apr 21, 2020

TL;DR: Chicken-and-Egg problem with RBAC - the Cloudbuilder account can't create roles anew or modify them; the result is that when we want to change up RBAC policies we have to manually deploy them first with my (rrodrigu at mit.edu)'s account. Otherwise, we get an error like this:

Step #7 - "deploy-to-cluster": Error from server (Forbidden): error when creating "kubernetes/manifests/production/rbac.authorization.k8s.io_v1_role_production-deployment-statefulset-reader.yaml": roles.rbac.authorization.k8s.io is forbidden: User "[email protected]" cannot create resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "default": Required "container.roles.create" permission.

Narrative
As a cluster manager for lookit, I want to be able to deploy changes to RBAC without having to go through

Acceptance Criteria

  • No "forbidden" errors when deploying RBAC changes through the CI/CD pipeline

Implementation Notes
Need something like so:
gcb-cluster-manager-binding.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gcb-cluster-manager-binding
subjects:
# Cloud IAM service account
- kind: User
  name: [email protected]
roleRef:
  kind: Role
  name: build-executor
  apiGroup: rbac.authorization.k8s.io

cluster-manager-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: build-executor
rules:
- apiGroups: ["rbac.authorization.k8s.io"] 
  resources: ["roles"]
  verbs: ["get", "watch", "list", "create"]

But we may need to add other bits to the SA - it's hard to tell what perms are being granted by gcloud and which are granted by kubernetes itself.

@Datamance Datamance added the bug Something isn't working label Apr 21, 2020
@Datamance Datamance self-assigned this Apr 21, 2020
@Datamance Datamance added this to the Deployment Stability milestone Sep 3, 2020
@mekline mekline moved this to Tech Debt in Issue Clusters Jan 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Tech Debt
Development

No branches or pull requests

1 participant