haowang-pony opened a new issue #719:
URL: https://github.com/apache/apisix-ingress-controller/issues/719
### Issue description
I want restrict apisix-ingress-controller service account into
`ingress-apisix` namespace rather than cluster wise. However I met such error:
`E1023 04:08:38.496282 1 leaderelection.go:325] error retrieving
resource lock default/ingress-apisix-leader: leases.coordination.k8s.io
"ingress-apisix-leader" is forbidden: User
"system:serviceaccount:ingress-apisix:ingress-apisix" cannot get resource
"leases" in API group "coordination.k8s.io" in the namespace "default"`
My service account config is:
```
apiVersion: apps/v1
items:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
rules:
- apiGroups:
- ''
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ''
resourceNames:
- ingress-controller-leader-nginx
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- endpoints
verbs:
- get
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
kind: List
```
### Environment
* your apisix-ingress-controller version (output of
`apisix-ingress-controller version --long`); 1.2.0
* your Kubernetes cluster version (output of `kubectl version`); v1.19.14
* if you run apisix-ingress-controller in Bare-metal environment, also show
your OS version (`uname -a`).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
