Re: Managing Routes with a Service Account
Thanks Clayton. I have made the modification to a ClusterRoleBinding but
still see the following output:
User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get
routes in project
\\\"foreman\\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"foreman-http-pulp\",\"kind\":\"routes\"
Updated RBAC:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: foreman-operator
rules:
- apiGroups:
- app.theforeman.org
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- "*"
- apiGroups:
- batch
resources:
- jobs
verbs:
- "*"
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/status
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- "*"
- apiGroups:
- project.openshift.io
resources:
- projects
verbs:
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: foreman-account-app-operator
subjects:
- kind: ServiceAccount
name: foreman-operator
namespace: foreman
roleRef:
kind: ClusterRole
name: foreman-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: foreman-operator
On Tue, Jul 17, 2018 at 11:22 AM Clayton Coleman
wrote:
> To access things across all namespaces, you need a ClusterRoleBinding, not
> a RoleBinding. RoleBindings only give you access to the role scoped to the
> namespace the RoleBinding is in.
>
> On Tue, Jul 17, 2018 at 10:21 AM Eric D Helms
> wrote:
>
>> Howdy,
>>
>> I am trying to manage routes via a serviceaccount with the following but
>> running into an issue with permission denied:
>>
>> "User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get
>> routes in the namespace \\\"foreman\\\""
>>
>> Resource Definitions:
>>
>> apiVersion: rbac.authorization.k8s.io/v1beta1
>> kind: ClusterRole
>> metadata:
>> name: foreman-operator
>> rules:
>> - apiGroups:
>> - app.theforeman.org
>> resources:
>> - "*"
>> verbs:
>> - "*"
>> - apiGroups:
>> - ""
>> resources:
>> - pods
>> - services
>> - endpoints
>> - persistentvolumeclaims
>> - events
>> - configmaps
>> - secrets
>> - serviceaccounts
>> verbs:
>> - "*"
>> - apiGroups:
>> - apps
>> resources:
>> - deployments
>> - daemonsets
>> - replicasets
>> - statefulsets
>> verbs:
>> - "*"
>> - apiGroups:
>> - batch
>> resources:
>> - jobs
>> verbs:
>> - "*"
>> - apiGroups:
>> - route.openshift.io
>> resources:
>> - routes
>> - routes/status
>> verbs:
>> - create
>> - delete
>> - deletecollection
>> - get
>> - list
>> - patch
>> - update
>> - watch
>> - apiGroups:
>> - rbac.authorization.k8s.io
>> resources:
>> - roles
>> verbs:
>> - "*"
>>
>> ---
>>
>> kind: RoleBinding
>> apiVersion: rbac.authorization.k8s.io/v1beta1
>> metadata:
>> name: foreman-account-app-operator
>> namespace: foreman
>> subjects:
>> - kind: ServiceAccount
>> name: foreman-operator
>> roleRef:
>> kind: ClusterRole
>> name: foreman-operator
>> apiGroup: rbac.authorization.k8s.io
>>
>> ---
>>
>> apiVersion: v1
>> kind: ServiceAccount
>> metadata:
>> name: foreman-operator
>>
>>
>> --
>> Eric D. Helms
>> Red Hat Engineering
>> Ph.D. Student - North Carolina State University
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
--
Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Managing Routes with a Service Account
To access things across all namespaces, you need a ClusterRoleBinding, not a RoleBinding. RoleBindings only give you access to the role scoped to the namespace the RoleBinding is in. On Tue, Jul 17, 2018 at 10:21 AM Eric D Helms wrote: > Howdy, > > I am trying to manage routes via a serviceaccount with the following but > running into an issue with permission denied: > > "User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get > routes in the namespace \\\"foreman\\\"" > > Resource Definitions: > > apiVersion: rbac.authorization.k8s.io/v1beta1 > kind: ClusterRole > metadata: > name: foreman-operator > rules: > - apiGroups: > - app.theforeman.org > resources: > - "*" > verbs: > - "*" > - apiGroups: > - "" > resources: > - pods > - services > - endpoints > - persistentvolumeclaims > - events > - configmaps > - secrets > - serviceaccounts > verbs: > - "*" > - apiGroups: > - apps > resources: > - deployments > - daemonsets > - replicasets > - statefulsets > verbs: > - "*" > - apiGroups: > - batch > resources: > - jobs > verbs: > - "*" > - apiGroups: > - route.openshift.io > resources: > - routes > - routes/status > verbs: > - create > - delete > - deletecollection > - get > - list > - patch > - update > - watch > - apiGroups: > - rbac.authorization.k8s.io > resources: > - roles > verbs: > - "*" > > --- > > kind: RoleBinding > apiVersion: rbac.authorization.k8s.io/v1beta1 > metadata: > name: foreman-account-app-operator > namespace: foreman > subjects: > - kind: ServiceAccount > name: foreman-operator > roleRef: > kind: ClusterRole > name: foreman-operator > apiGroup: rbac.authorization.k8s.io > > --- > > apiVersion: v1 > kind: ServiceAccount > metadata: > name: foreman-operator > > > -- > Eric D. Helms > Red Hat Engineering > Ph.D. Student - North Carolina State University > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Managing Routes with a Service Account
Howdy, I am trying to manage routes via a serviceaccount with the following but running into an issue with permission denied: "User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get routes in the namespace \\\"foreman\\\"" Resource Definitions: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: foreman-operator rules: - apiGroups: - app.theforeman.org resources: - "*" verbs: - "*" - apiGroups: - "" resources: - pods - services - endpoints - persistentvolumeclaims - events - configmaps - secrets - serviceaccounts verbs: - "*" - apiGroups: - apps resources: - deployments - daemonsets - replicasets - statefulsets verbs: - "*" - apiGroups: - batch resources: - jobs verbs: - "*" - apiGroups: - route.openshift.io resources: - routes - routes/status verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - "*" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: foreman-account-app-operator namespace: foreman subjects: - kind: ServiceAccount name: foreman-operator roleRef: kind: ClusterRole name: foreman-operator apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: foreman-operator -- Eric D. Helms Red Hat Engineering Ph.D. Student - North Carolina State University ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
