Cannot reconcile clusterRole/clusterRoleBinding karmada-impersonator

[1285yvonne]

What happened:

When I install karmada-agent by helm chart, I found some error messages in the pod's logs and events like:

12m         Warning   SyncFailed   work/karmada-impersonator-7cbb6bd5c9   Failed to sync work(karmada-impersonator-7cbb6bd5c9) to cluster(hz3098manager-3098): clusterroles.rbac.authorization.k8s.io "karmada-impersonator" is forbidden: user "system:serviceaccount:cld-system-karmada:3098-karmada-agent" (groups=["system:serviceaccounts" "system:serviceaccounts:cld-system-karmada" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["groups"], ResourceNames:["system:masters"], Verbs:["impersonate"]}
{APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["generic-garbage-collector"], Verbs:["impersonate"]}
{APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["namespace-controller"], Verbs:["impersonate"]}
{APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["resourcequota-controller"], Verbs:["impersonate"]}
{APIGroups:[""], Resources:["users"], ResourceNames:["system:kube-controller-manager"], Verbs:["impersonate"]}

I think the reason is the permission escalation prevention in RBAC. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping for details.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

just helm install karmada-agent

Anything else we need to know?:

I just modify the chart to fix it :

# charts/templates/karmada_agent.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ $name }}
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ["get", "watch", "list", "create", "update", "delete"]
  - apiGroups: ['rbac.authorization.k8s.io'] # add escalate and bind permission
    resources: ['clusterroles', 'roles']
    verbs: ["bind", "escalate"]    
  - nonResourceURLs: ['*']
    verbs: ["get"]

Environment:

• Karmada version: v1.0.1
• host cluster k8s version: v1.21.1
• kubectl-karmada or karmadactl version (the result of kubectl-karmada version or karmadactl version):
• Others:

[XiShanYongYe-Chang]

Hi @1285yvonne, sorry for letting this issue hold so long.

I think the reason is the permission escalation prevention in RBAC.

You are right, we update the artifacts/agent/clusterrole.yaml but do not modify the chart synchronously:

https://github.com/karmada-io/karmada/blob/master/artifacts/agent/clusterrole.yaml

Are you willing to fix this mistake?

Thanks your issue!

[XiShanYongYe-Chang]

Hi @1285yvonne , #1457 fixed this bug.

[1285yvonne]

Hi @1285yvonne , #1457 fixed this bug.

sorry for taking so long to get this message. Thanks for fixing this promblem~