Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClusterRole kubed-operator needs 'patch' and 'delete' permissions for configmaps/secrets resources #267

Closed
hugocf opened this issue May 15, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@hugocf
Copy link

commented May 15, 2018

Summary

Kubed ConfigSyncer gives a permissions error when trying to patch or delete a synced configmap/secret. When the error occurs, the syncing action stops and no other namespace is updated.

Steps to Reproduce

These steps are based on the Synchronize ConfigMap tutorial in a newly created Kubernetes cluster on AWS (via Kops) and highlight the issue using a configmap (although the same occurs with secrets):

  1. Prepare namespace & confimap
$ kubectl create ns demo
namespace "demo" created

$ kubectl apply -f demo-0.yaml
configmap "omni" created

$ kubectl annotate configmap omni kubed.appscode.com/sync="" -n demo
configmap "omni" annotated

$ kubectl get configmaps --all-namespaces | grep omni
default           omni                                 2         24s
demo              omni                                 2         1m
kube-public       omni                                 2         24s
kube-system       omni                                 2         24s
  1. Change the original configmap
$ kubectl get -n demo configmap/omni -o yaml | head -4
apiVersion: v1
data:
  leave: once
  you: only

$ kubectl get -n default configmap/omni -o yaml | head -4
apiVersion: v1
data:
  leave: once
  you: only

$ kubectl apply -f demo-1.yaml
configmap "omni" configured

$ kubectl get -n demo configmap/omni -o yaml | head -4
apiVersion: v1
data:
  live: once
  you: only

$ kubectl get -n default configmap/omni -o yaml | head -4
apiVersion: v1
data:
  leave: once
  you: only
  1. Delete the original configmap
$ kubectl get configmaps --all-namespaces | grep omni
default           omni                                 2         17m
demo              omni                                 2         5m
kube-public       omni                                 2         17m
kube-system       omni                                 2         17m

$ kubectl delete -f demo-1.yaml
configmap "omni" deleted

$ kubectl get configmaps --all-namespaces | grep omni
default           omni                                 2         18m
kube-public       omni                                 2         18m
kube-system       omni                                 2         18m

Expected Results

In step 2 above the omni configmap should have been changed in the other namespaces, and in step 3 deleted from all the other namespaces: default, kube-public, and kube-system.

Actual Results

The omni configmap was neither changed (step 2) nor deleted (step 3) from the other namespaces.

The following errors appear in the kubed-operator pod logs after the failed steps:

$ kubectl logs -f -n kube-system kubed-operator-7975b7cd5d-7frfv

After step 1 (everything ok):

...
I0515 22:49:55.622455       1 configmap.go:19] Creating ConfigMap default/omni.
I0515 22:49:55.637364       1 configmap.go:19] Creating ConfigMap kube-public/omni.
I0515 22:49:55.642712       1 configmap.go:19] Creating ConfigMap kube-system/omni.
...

After step 2 (permissions error):

...
I0515 22:50:26.701216       1 configmap.go:52] Patching ConfigMap default/omni with {"data":{"leave":null,"live":"once"},"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"live\":\"once\",\"you\":\"only\"},\"kind\":\"ConfigMap\",\"metadata\":{\"annotations\":{},\"name\":\"omni\",\"namespace\":\"demo\"}}\n","kubed.appscode.com/origin":"{\"namespace\":\"demo\",\"name\":\"omni\",\"uid\":\"2eb61293-5892-11e8-a4dd-069380676cb2\",\"resourceVersion\":\"983575\"}"}}}
E0515 22:50:26.702554       1 resourcehandlers.go:57] [configmaps "omni" is forbidden: User "system:serviceaccount:kube-system:kubed-operator" cannot patch configmaps in the namespace "default"]
...

After step 3 (permissions error):

...
E0515 22:50:41.914017       1 resourcehandlers.go:72] [configmaps "omni" is forbidden: User "system:serviceaccount:kube-system:kubed-operator" cannot delete configmaps in the namespace "default"]
...

Versions

The cluster where this issue occurs is running Kubernetes version 1.9.7 (with RBAC enabled) and we tested with the following Kubed versions 0.5.0, 0.6.0-rc.0, and master (sha aec0126), all with the same erroneous results.

Notes

Kubed installation was done via the command:

curl -fsSL https://raw.githubusercontent.com/appscode/kubed/$version/hack/deploy/kubed.sh | bash -s -- --rbac

Quickly edited ClusterRole kubed-operator to add the patch and delete verbs and the steps aboved were successful, but not sure whether it has any other implications…

$ kubectl edit clusterrole kubed-operator
clusterrole "kubed-operator" edited
--- kubectl-edit-old.yaml	2018-05-16 00:24:51.000000000 +0100
+++ kubectl-edit-new.yaml	2018-05-16 00:23:56.000000000 +0100
@@ -44,3 +44,5 @@
   - get
   - create
   - update
+  - patch
+  - delete
@hossainemruz

This comment has been minimized.

Copy link
Member

commented May 16, 2018

@hugocf Thank you for reporting. We have fixed this in #268 . We will cut a release soon with this fix.

tamalsaha added a commit that referenced this issue May 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.