We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened:
When I install karmada-agent by helm chart, I found some error messages in the pod's logs and events like:
12m Warning SyncFailed work/karmada-impersonator-7cbb6bd5c9 Failed to sync work(karmada-impersonator-7cbb6bd5c9) to cluster(hz3098manager-3098): clusterroles.rbac.authorization.k8s.io "karmada-impersonator" is forbidden: user "system:serviceaccount:cld-system-karmada:3098-karmada-agent" (groups=["system:serviceaccounts" "system:serviceaccounts:cld-system-karmada" "system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["groups"], ResourceNames:["system:masters"], Verbs:["impersonate"]} {APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["generic-garbage-collector"], Verbs:["impersonate"]} {APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["namespace-controller"], Verbs:["impersonate"]} {APIGroups:[""], Resources:["serviceaccounts"], ResourceNames:["resourcequota-controller"], Verbs:["impersonate"]} {APIGroups:[""], Resources:["users"], ResourceNames:["system:kube-controller-manager"], Verbs:["impersonate"]}
I think the reason is the permission escalation prevention in RBAC. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping for details.
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
just helm install karmada-agent
Anything else we need to know?:
I just modify the chart to fix it :
# charts/templates/karmada_agent.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ $name }} rules: - apiGroups: ['*'] resources: ['*'] verbs: ["get", "watch", "list", "create", "update", "delete"] - apiGroups: ['rbac.authorization.k8s.io'] # add escalate and bind permission resources: ['clusterroles', 'roles'] verbs: ["bind", "escalate"] - nonResourceURLs: ['*'] verbs: ["get"]
Environment:
kubectl-karmada version
karmadactl version
The text was updated successfully, but these errors were encountered:
Hi @1285yvonne, sorry for letting this issue hold so long.
I think the reason is the permission escalation prevention in RBAC.
You are right, we update the artifacts/agent/clusterrole.yaml but do not modify the chart synchronously:
artifacts/agent/clusterrole.yaml
https://github.com/karmada-io/karmada/blob/master/artifacts/agent/clusterrole.yaml
Are you willing to fix this mistake?
Thanks your issue!
Sorry, something went wrong.
Hi @1285yvonne , #1457 fixed this bug.
sorry for taking so long to get this message. Thanks for fixing this promblem~
Successfully merging a pull request may close this issue.
What happened:
When I install karmada-agent by helm chart, I found some error messages in the pod's logs and events like:
I think the reason is the permission escalation prevention in RBAC. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping for details.
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
just helm install karmada-agent
Anything else we need to know?:
I just modify the chart to fix it :
Environment:
kubectl-karmada version
orkarmadactl version
):The text was updated successfully, but these errors were encountered: