Facing dennied access to secrets
Closed this issue · 1 comments
facu-tolay commented
Modifying the values of vault-crd-helm i updated the version of the vault-crd image to 1.9.1 to avoid the log4j vulnerability.
What happened:
The application starts crashing and restarting constantly showing the following errors:
Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. secrets is forbidden: User "system:serviceaccount:vault-crd:vault-crd-serviceaccount" cannot list resource "secrets" in API group "" at the cluster scope.
Message: secrets is forbidden: User "system:serviceaccount:vault-crd:vault-crd-serviceaccount" cannot watch resource "secrets" in API group "" at the cluster scope.
What you expected to happen:
Initialize the application correctly.
How to reproduce it:
-
Change the image tag in the values
vaultCRD.tag
| Image tag |1.9.1
-
Execute the helm upgrade command
helm upgrade vault-crd vault-crd/vault-crd --version 1.6.3 -f custom-values.yaml
Solution:
Add list and watch permissions to the ClusterRole resource:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- patch
- update
- delete
- list
- watch
Application working:
[main] de.koudingspawn.vault.VaultApplication : Starting VaultApplication v0.0.1-SNAPSHOT using Java 11.0.1
DaspawnW commented
Hi @facu-tolay ,
thanks for pointing to this. I checked and had some confusion on my own due to double projects.
I deprecated now the old approach and here you can find the helm chart which should also contain the required changes: https://github.com/DaspawnW/helm-charts