johnpoth commented on pull request #2696: URL: https://github.com/apache/camel-k/pull/2696#issuecomment-959568025
> kubectl auth can-i get cm -n kube-public --as system:serviceaccount:camel-k:camel-k-operator > no > > As @nicolaferraro said I'm not sure how public the "kube-public" namespace really is: > > ``` > > $kubectl auth can-i get cm -n kube-public --as system:serviceaccount:camel-k:camel-k-operator > > no > > ``` > > That means the operator service account do not have the required permission, but I would not deduce `kube-public` is not "public" from it. That only means read permission is granted for all users, but not service account. This is for us to add the permission to the operator service account. > > One solution is to create a dedicated ClusterRole with: > > ```yaml > rules: > - apiGroups: [""] > resources: ["configmaps"] > resourceNames: ["local-registry-hosting"] > verbs: ["get"] > ``` > > And a RoleBinding projecting that ClusterRole on the `kube-public` namespace for the operator service account. Ah yeah thanks, I think I tested with unauthorized users (which also didn't work) but I've added the RBAC files as you suggested which should make the question "is the kube-public namespace really public" null and void :) Thanks ! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
