Thanks Clayton. I have made the modification to a ClusterRoleBinding but
still see the following output:
User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get
routes in project
\\\"foreman\\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"foreman-http-pulp\",\"kind\":\"routes\"
Updated RBAC:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: foreman-operator
rules:
- apiGroups:
- app.theforeman.org
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- "*"
- apiGroups:
- batch
resources:
- jobs
verbs:
- "*"
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/status
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- "*"
- apiGroups:
- project.openshift.io
resources:
- projects
verbs:
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: foreman-account-app-operator
subjects:
- kind: ServiceAccount
name: foreman-operator
namespace: foreman
roleRef:
kind: ClusterRole
name: foreman-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: foreman-operator
On Tue, Jul 17, 2018 at 11:22 AM Clayton Coleman
wrote:
> To access things across all namespaces, you need a ClusterRoleBinding, not
> a RoleBinding. RoleBindings only give you access to the role scoped to the
> namespace the RoleBinding is in.
>
> On Tue, Jul 17, 2018 at 10:21 AM Eric D Helms
> wrote:
>
>> Howdy,
>>
>> I am trying to manage routes via a serviceaccount with the following but
>> running into an issue with permission denied:
>>
>> "User \\\"system:serviceaccount:foreman:foreman-operator\\\" cannot get
>> routes in the namespace \\\"foreman\\\""
>>
>> Resource Definitions:
>>
>> apiVersion: rbac.authorization.k8s.io/v1beta1
>> kind: ClusterRole
>> metadata:
>> name: foreman-operator
>> rules:
>> - apiGroups:
>> - app.theforeman.org
>> resources:
>> - "*"
>> verbs:
>> - "*"
>> - apiGroups:
>> - ""
>> resources:
>> - pods
>> - services
>> - endpoints
>> - persistentvolumeclaims
>> - events
>> - configmaps
>> - secrets
>> - serviceaccounts
>> verbs:
>> - "*"
>> - apiGroups:
>> - apps
>> resources:
>> - deployments
>> - daemonsets
>> - replicasets
>> - statefulsets
>> verbs:
>> - "*"
>> - apiGroups:
>> - batch
>> resources:
>> - jobs
>> verbs:
>> - "*"
>> - apiGroups:
>> - route.openshift.io
>> resources:
>> - routes
>> - routes/status
>> verbs:
>> - create
>> - delete
>> - deletecollection
>> - get
>> - list
>> - patch
>> - update
>> - watch
>> - apiGroups:
>> - rbac.authorization.k8s.io
>> resources:
>> - roles
>> verbs:
>> - "*"
>>
>> ---
>>
>> kind: RoleBinding
>> apiVersion: rbac.authorization.k8s.io/v1beta1
>> metadata:
>> name: foreman-account-app-operator
>> namespace: foreman
>> subjects:
>> - kind: ServiceAccount
>> name: foreman-operator
>> roleRef:
>> kind: ClusterRole
>> name: foreman-operator
>> apiGroup: rbac.authorization.k8s.io
>>
>> ---
>>
>> apiVersion: v1
>> kind: ServiceAccount
>> metadata:
>> name: foreman-operator
>>
>>
>> --
>> Eric D. Helms
>> Red Hat Engineering
>> Ph.D. Student - North Carolina State University
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
--
Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users