Error when API scrapes PersistentVolumes when limitNamespace=true
jgchristian opened this issue · 0 comments
jgchristian commented
Hi - hit an issue deploying when scoped to just a namespace. Looks like the ServiceAccount is bound to a Role which is fine for most resource types, but PersistentVolumes are only cluster scoped (AFAIK) so require a ClusterRole and ClusterRoleBinding
Steps to reproduce
- Deployed using helm
limitNamespace: trueset inmy-values.yamlhelm --namespaceflag specified with existing namespace
- When SPA calls scrape API, 500 internal server error; logs show kubernetes error (snippet)
... cannot get resource "persistentvolumes" in API group "" at the cluster scope
Will link to a PR with a possible fix. I guess the decision is do you want to generate a ClusterRole just for PersistentVolumes or does that feel like it's sneakily breaking the 'limitNamespace' contract? Perhaps could stick this behind a different config option?