ServiceAccount for provisioner requires "update" verb on "endpoint" resources
rajch opened this issue · 6 comments
In the past, I have seen provisioners run successfully with a ServiceAccount bound to either of the following two ClusterRoles:
- system:persistent-volume-provisioner
- system:controller:persistent-volume-binder
However, the controller seems to want permissions to the "update" verb on "endpoint" resources, which neither of the above provide. I solved my problem by creating a custom ClusterRole. This may not be a bug, but could we add it to documentation somewhere?
Yes, RBAC requirements need to be documented and versioned. The controller used to use PVC's as locks but now it uses endpoints. There is a TODO to default to Leases instead since touching endpoints can have security & performance issues. You can disable leader election altogether, it's mainly to avoid controllers racing and hitting Provision API unnecessarily
/assign
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
/remove-lfecycle stale
May I volunteer to (as a stopgap) update the README with RBAC requirements?
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen
.
Mark the issue as fresh with/remove-lifecycle rotten
.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.