-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[occm] (helm chart) cloud-controller-manager
serviceaccount has no clusterrolebinding
#2049
Comments
I am wondering whether your namespace is incorrect or other manual things handled wrong https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/templates/clusterrole.yaml#L36 is the role that defined and there is a rolebinding that helps grant the actions, maybe you can check whether there's something wrong there the option you provided seems reltaed to |
Thanks for taking a look @jichenjc. The namespace I'm installing this into is
Note the serviceaccount there is |
um.. the fix is there for long time .. so if it's a 1.25 potential fix, then it's a new issue :( |
Had a similar issue after updating the openstack-cloud-controller-manager chart from 1.3.0 to 1.4.0 New services backed by load-balancers would not get an external IP because the serviceaccount cloud-controller-manager did not have the proper privileges to patch the service object. Error: Warning SyncLoadBalancerFailed 2m30s (x2 over 5m11s) service-controller Error syncing load balancer: failed to ensure load balancer: failed to patch service object istio-ingress/istio-ingressgateway: services "istio-ingressgateway" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "istio-ingress" My temporary workaround piggybacking on the clusterrole system:openstack-cloud-controller-manager: % kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openstack-cloud-controller-manager
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: kube-system
EOF |
We've started hitting consistently as well with |
@namsral Helm chart has slightly different ClusterRoleBinding and RBAC ( https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml ) "system:serviceaccount:kube-system:openstack-cloud-controller-manager" I am not familiar with how it is working with the external cloud provider. @jichenjc |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The default setting of the openstack-cloud-controller-manager uses two different service accounts with differing permissions. This leads to issues, especially when creating load-balancer services, where the wrong serivce account is used and consequently not allowed to do the things required to actually make things work. This is a workaround that forces the openstack-cloud-controller-manager to just use one single service account, which makes things work again. Fixes: Error syncing load balancer: failed to ensure load balancer: failed to patch service object ingress-nginx/ingress-nginx-controller: services "ingress-nginx-controller" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "ingress-nginx" References: - kubernetes/cloud-provider-openstack#2049 - kubernetes/cloud-provider-openstack#1722
…credentials (#412) The default setting of the openstack-cloud-controller-manager uses two different service accounts with differing permissions. This leads to issues, especially when creating load-balancer services, where the wrong serivce account is used and consequently not allowed to do the things required to actually make things work. This is a workaround that forces the openstack-cloud-controller-manager to just use one single service account, which makes things work again. Fixes: Error syncing load balancer: failed to ensure load balancer: failed to patch service object ingress-nginx/ingress-nginx-controller: services "ingress-nginx-controller" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "ingress-nginx" References: - kubernetes/cloud-provider-openstack#2049 - kubernetes/cloud-provider-openstack#1722 Co-authored-by: Sebastian Lehne <sl@teuto.net>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by a number of reasons, namely: - Creates suitable service accounts, cluster roles and cluster role bindings for `--use-service-accounts-credentials=true` - Normalises service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by a number of reasons, namely: - Creates suitable service accounts, cluster roles and cluster role bindings for `--use-service-accounts-credentials=true` - Normalises service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
…chart (#2449) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
…chart (#2448) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
…chart (#2447) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
/kind bug
What happened:
Using
--use-service-account-crredentials
(as is default in the chart), I'm seeing the following in the logs:Should the roles stuff in the manifests folder be part of the chart, or am I misunderstanding how this works?
When I set
--use-service-account-credentials=false
viacontrollerExtraArgs
, things seem to work as expected.What you expected to happen:
No permission errors in the logs
How to reproduce it:
Install the helm chart with values:
The text was updated successfully, but these errors were encountered: