failing in namspace creation on openshift 4.6 after installing gatekeeper #1127
Comments
|
It might be worth adding a config to the Helm chart that allows people to extend the permissions given to In the interim you could create a role and role binding that gives apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gatekeeper-manager-openshift-role
namespace: gatekeeper-system
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- anyuid
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
gatekeeper.sh/system: "yes"
name: gatekeeper-manager-openshift-rolebinding
namespace: gatekeeper-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-manager-openshift-role
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
namespace: gatekeeper-systemI think you'll need to apply these after the Helm chart in order to ensure the namespace is created. |
|
when i was configuring the gatekeeper in GCP cluster got a similar issue It was firewall issue, enable the port 8443 in the gke master node. everthing worked fine then. |
|
Thanks for the update @Aabhusan ! Since this bug is ~1 year old, closing due to staleness. OP can re-open if needed. |
|
No problem @maxsmythe :) |
Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": no endpoints available for service "gatekeeper-webhook-service"
Gatekeeper version - 3.2.1
Openshift version - 4.6
According to #842 this PR, we need to modify the helm chart with some configuration to work with ocp 4.x.
Is there any way to add configuration without modifying the chart?
Note: On helm installatiion, deployment status show the namespace as current oc project instead of 'gatekeeper-system'
The text was updated successfully, but these errors were encountered: