Use system-upgrade-controller with reduced ServiceAccount permissions #1258
sebastianlutter
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The kustomize process got stuck on cluster bootstrapping (#1252) recently due to this commit in rancher/system-upgrade-controller@37928ad#diff-fc6d73a1f073b43ed0dd766999636ba6c1e99ed8eee8e463815dc69bbde07d06
As a workaround this was fixed with #1253 in 2.13.1 release. But the commit in rancher/system-upgrade-controller (Reduce permissions for system-upgrade-controller serviceaccount) does make sense and we should include the new yaml files
manifests/clusterrole.yaml
andmanifests/clusterrolebinding.yaml
with a tailored set of permissions for the controller in the long run.I'm unsure if we should go back to upstream master branch version of
system-upgrade-controller.yaml
or if a specific commit should be used. Since the recent commit caused kustomize to stuck and broke the whole terraform-hcloud-kube-hetzner cluster init it maybe is better to use a fixed commit. On the other hand this would add the hassle to manually update the manifest because at some point there also will be changes to the file be made that are needed to make everything work. This is worth a discussion, what is your opinion?Beta Was this translation helpful? Give feedback.
All reactions