Control plane lacks sufficient permissions in tilt as of recent commits
cannonpalms opened this issue · 3 comments
cannonpalms commented
The control plane controller starts successfully at 204444b but not b8a4a21 (HEAD).
It crash loops due to lacking appropriate permissions to populate the controller's informer cache.
Ex:
[manager] W0817 16:15:38.835830 14 reflector.go:424] pkg/mod/k8s.io/client-go@v0.26.1/tools/cache/reflector.go:169: failed to list *v1beta1.KThreesControlPlane: kthreescontrolplanes.controlplane.cluster.x-k8s.io is forbidden: User "system:serviceaccount:capi-k3s-control-plane-system:default" cannot list resource "kthreescontrolplanes" in API group "controlplane.cluster.x-k8s.io" at the cluster scope
cannonpalms commented
control plane ClusterRole as of b8a4a21:
Name: capi-k3s-control-plane-manager-role
Labels: app.kubernetes.io/managed-by=tilt
cluster.x-k8s.io/provider=control-plane-k3s
clusterctl.cluster.x-k8s.io=
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [create delete get list patch update watch]
events [] [] [create delete get list patch update watch]
secrets [] [] [create delete get list patch update watch]
kthreesconfigs.bootstrap.cluster.x-k8s.io/status [] [] [create delete get list patch update watch]
kthreesconfigs.bootstrap.cluster.x-k8s.io [] [] [create delete get list patch update watch]
clusters.cluster.x-k8s.io/status [] [] [get list watch]
clusters.cluster.x-k8s.io [] [] [get list watch]
machines.cluster.x-k8s.io/status [] [] [get list watch]
machines.cluster.x-k8s.io [] [] [get list watch]
machinepools.exp.cluster.x-k8s.io/status [] [] [get list watch]
machinepools.exp.cluster.x-k8s.io [] [] [get list watch]
ClusterRole as of 204444b:
Name: capi-k3s-control-plane-manager-role
Labels: app.kubernetes.io/managed-by=tilt
cluster.x-k8s.io/provider=control-plane-k3s
clusterctl.cluster.x-k8s.io=
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.bootstrap.cluster.x-k8s.io [] [] [create delete get list patch update watch]
machines.cluster.x-k8s.io/status [] [] [create delete get list patch update watch]
machines.cluster.x-k8s.io [] [] [create delete get list patch update watch]
*.controlplane.cluster.x-k8s.io [] [] [create delete get list patch update watch]
*.infrastructure.cluster.x-k8s.io [] [] [create delete get list patch update watch]
secrets [] [] [create get list patch update watch]
events [] [] [create get list patch watch]
clusters.cluster.x-k8s.io/status [] [] [get list watch]
clusters.cluster.x-k8s.io [] [] [get list watch]
This is the issue.
cannonpalms commented
@ekarlso @zawachte Looks like 7f5c26d inadvertently ripped out pieces of the control plane's ClusterRole.
I don't see //+kubebuilder:rbac:... markers in the control plane controller, so I think if in this commit (rbac) manifests were regenerated from source, it would have had this effect.
That's what I believe would be the proper resolution here: add the missing kubebuilder markers to the control plane controller.