RBAC needed for namespaced deployment

Question

RBAC needed for namespaced deployment

tcordeu opened this issue a year ago · 3 comments

Hello, I deployed the helm-controller using the latest artifact:
curl -Ls https://github.com/k3s-io/helm-controller/releases/download/v0.14.0/deploy-namespaced.yaml | kubectl apply -f - and the deployment is showing the following error:

E0523 17:26:15.395364       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"
E0523 17:26:17.824670       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"
E0523 17:26:21.779472       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"

Am I missing the RBAC setup?

Thanks,
Thomas.

Answer 1 · 2023-05-23T17:38:38.000Z

Yeah, neither manifest contains the necessary RBAC. We should probably add some.

This project is mostly used embedded within k3s and rke2, so the standalone deployment files are kind of sparse.

Answer 2 · 2023-05-23T17:43:00.000Z

@brandond Thanks for the response! Do you have any examples/docs on the permissions needed so that I can work from there?

Answer 3 · 2023-05-23T17:58:38.000Z

in most scenarios we just bind it to an admin account, since it will usually need access to everything in order to create/update/delete whatever resources may be specified in helm charts. You might be able to dig some examples out of the test harness?