ServiceAccount for provisioner requires "update" verb on "endpoint" resources

Question

ServiceAccount for provisioner requires "update" verb on "endpoint" resources

rajch opened this issue 5 years ago · 6 comments

In the past, I have seen provisioners run successfully with a ServiceAccount bound to either of the following two ClusterRoles:

system:persistent-volume-provisioner
system:controller:persistent-volume-binder

However, the controller seems to want permissions to the "update" verb on "endpoint" resources, which neither of the above provide. I solved my problem by creating a custom ClusterRole. This may not be a bug, but could we add it to documentation somewhere?

Answer 1 · 2019-06-21T00:03:15.000Z

Yes, RBAC requirements need to be documented and versioned. The controller used to use PVC's as locks but now it uses endpoints. There is a TODO to default to Leases instead since touching endpoints can have security & performance issues. You can disable leader election altogether, it's mainly to avoid controllers racing and hitting Provision API unnecessarily
/assign

Answer 2 · 2019-09-19T00:38:22.000Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Answer 3 · 2019-09-22T04:37:06.000Z

/remove-lfecycle stale

May I volunteer to (as a stopgap) update the README with RBAC requirements?

Answer 4 · 2019-10-22T05:37:13.000Z

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

Answer 5 · 2019-11-21T06:18:51.000Z

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Answer 6 · 2019-11-21T06:18:59.000Z

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.