mittwald/kubernetes-replicator

Replicator fails to replicate rolebindings and roles using replicate-to-matching

patrickheinzelmann opened this issue · 3 comments

patrickheinzelmann commented

Describe the bug
We're using Argo Workflow and some basic settings have to be copied from the namespace Argo to all namespaces running workflows.

We're trying to use the replicator to replicate the secrets, roles and rolebindings using the annotation replicator.v1.mittwald.de/replicate-to-matching. The secrets are getting replicated to the other namespaces, but the roles and rolebinding aren't replicated.

time="2021-06-23T08:03:57Z" level=error msg="error while replicating by label selector" error="Replicated argo/workflow-default-binding to 0 out of 2 namespaces: 2 errors occurred:\n\t* Failed to replicate RoleBinding argo/workflow-default-binding -> namespace1-dev: Failed to update roleBinding namespace1-dev/workflow-default-binding: roles.rbac.authorization.k8s.io \"workflow-role\" not found: Failed to update roleBinding namespace1-dev/workflow-default-binding: roles.rbac.authorization.k8s.io \"workflow-role\" not found\n\t* Failed to replicate RoleBinding argo/workflow-default-binding -> namespace2-dev: Failed to update roleBinding namespace2-dev/workflow-default-binding: roles.rbac.authorization.k8s.io \"workflow-role\" not found: Failed to update roleBinding namespace2-dev/workflow-default-binding: roles.rbac.authorization.k8s.io \"workflow-role\" not found\n\n" kind=RoleBinding resource=argo/workflow-default-binding

To Reproduce

  1. Create two namespaces.

  2. Create a secret, a role and a rolebinding in the first namespace which have the annotation:
    replicator.v1.mittwald.de/replicate-to-matching: argo-workflow-enabled=true

The rolebinding should reference the role.

  1. Add label "argo-workflow-enabled:true" to the second namespace.

  2. Wait till the replicator has run.

  3. Check for the secret, role and rolebinding in the second namespace.

Expected behavior

The secret, role and rolebinding will be replicated to namespaces which are having the label "argo-workflow-enabled: true"

Environment:

  • Kubernetes version: v1.18.1
  • kubernetes-replicator version: latest (Redeployed the pod with version quay.io/mittwald/kubernetes-replicator:latest)
patrickheinzelmann commented

Do I have install the replicator via Helm to adjust the settings to replicate roles and rolebindings?

From my understanding, the RBAC contains a cluster role.

- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml

hensur commented

The replicator needs to have at least the same privileges as the role that should be replicated, as described here:
https://github.com/mittwald/kubernetes-replicator#role-and-rolebinding-replication

Could that be the problem here?

The solutions described in the readme are currently only available in the helm chart. If you're not deploying using helm, you have to edit the ClusterRole manually.

patrickheinzelmann commented

@hensur After the redeployment via Helm, the roles and rolebindings were replicated.