New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Halyard: 403 (forbidden) on spin-orca-bootstrap:8083/orchestrate #2413
Labels
Comments
With Spinnaker 1.6.1 and Halyard 1.2.0 I get more meaningful error message:
|
After investigation of logs it turned out that it's necessary to add the following permissions:
So the complete role definition looks like:
|
@lwander, @wmuizelaar the issue can be closed. |
Nice work! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Migrated from https://github.com/spinnaker/halyard/issues/718
Opened by: @wheleph (2017-10-13 14:24:37) I'm trying to deploy Spinnaker 1.4.1 using Halyard 0.34.0-20170908160431. When I execute
hal deploy apply
I see the following cryptic error:--debug
flag gives the following additional output:I suppose this is because I'm trying to deploy Spinnaker using a restricted service account that has access to only 1 namespace (similar to https://blog.spinnaker.io/spinnaker-kubernetes-rbac-c40f1f73c172) and it lacks some permissions. I couldn't find anything relevant in orca or clouddriver logs.
But how to find which ones are actually needed?
Comments:
@lwander (2017-09-29 17:55:07): Does it have access to the
spinnaker
namespace?@wmuizelaar (2017-09-29 18:01:40): Yes, it has the 'edit' clusterrole in the spinnaker namespace:
@lwander (2017-09-29 18:03:37): ClusterRoles are not namespace dependent, so I'm not sure what you mean
@lwander (2017-09-29 18:03:57): https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole
@wmuizelaar (2017-09-29 18:05:56): Well, as described in your link, the spinnaker service account has a rolebinding in the spinnaker namespace, giving it 'edit' rights (which happens to be defined as a clusterrole, but because this is a rolebinding and not a clusterrolebinding, it only applies within the spinnaker namespace)
@wmuizelaar (2017-10-13 14:24:36): We needed to give the spinnaker service-account 'cluster-admin' rights to make things work eventually.
Is it possible to specify what rights actually are needed, so we can restrict it accordingly?
The text was updated successfully, but these errors were encountered: