Comments (5)
This may be resolved by #46.
@willkutler The operator itself will need permissions to grant the necessary permissions to Gatekeeper (prevents privilege escalation). I would suggest we look at either fixing #46, or providing a kustomize
overlay for this OpenShift specific RBAC permission.
from gatekeeper-operator.
We should not update the default SCCs in OpenShift. They even if we give permissions to the operator to update these permissions, OpenShift will eventually overwrite them back to how they're supposed to be. If we need an SCC with permissions that are not applicable by the default ones, the good practice is to create our own SCC.
Also, in RBAC, to use an SCC we need to use the verb use
.
from gatekeeper-operator.
I am not hitting smiliar permission issue after using latest bundle-index image built by this repo.
This time it was about psp. This is because psp was added in 3.2.1.
2020-12-07T19:33:25.807Z ERROR controller Reconciler error {"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "gatekeeper-system", "error": "Unable to deploy Gatekeeper resources: Error attempting to create resource /gatekeeper-admin: podsecuritypolicies.policy is forbidden: User \"system:serviceaccount:gatekeeper-system:default\" cannot create resource \"podsecuritypolicies\" in API group \"policy\" at the cluster scope", "errorVerbose": "podsecuritypolicies.policy is forbidden: User \"system:serviceaccount:gatekeeper-system:default\" cannot create resource \"podsecuritypolicies\" in API group \"policy\" at the cluster scope\nError attempting to create resource /gatekeeper-admin\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).updateOrCreateResource\n\t/workspace/controllers/gatekeeper_controller.go:280\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).deploy...
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90
from gatekeeper-operator.
I am not hitting smiliar permission issue after using latest bundle-index image built by this repo.
This time it was about psp. This is because psp was added in 3.2.1.2020-12-07T19:33:25.807Z ERROR controller Reconciler error {"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "gatekeeper-system", "error": "Unable to deploy Gatekeeper resources: Error attempting to create resource /gatekeeper-admin: podsecuritypolicies.policy is forbidden: User \"system:serviceaccount:gatekeeper-system:default\" cannot create resource \"podsecuritypolicies\" in API group \"policy\" at the cluster scope", "errorVerbose": "podsecuritypolicies.policy is forbidden: User \"system:serviceaccount:gatekeeper-system:default\" cannot create resource \"podsecuritypolicies\" in API group \"policy\" at the cluster scope\nError attempting to create resource /gatekeeper-admin\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).updateOrCreateResource\n\t/workspace/controllers/gatekeeper_controller.go:280\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).deploy... sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1 /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 k8s.io/apimachinery/pkg/util/wait.BackoffUntil /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 k8s.io/apimachinery/pkg/util/wait.JitterUntil /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 k8s.io/apimachinery/pkg/util/wait.Until /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90
@ycao56 This was caused by the bundle being out-of-date from the config manifests. I've created #75 to update the bundle and #76 to verify we don't miss it again in the future.
from gatekeeper-operator.
@ycao56 This should be fixed now so I am closing. Please re-open if that's not the case.
from gatekeeper-operator.
Related Issues (20)
- Add golangci-lint linter
- Update to Go 1.16
- Do not skip creating the Namespace asset in Kubernetes
- OpenShift: consider whether to add openshift-operators to exempt namespace
- Consider moving to ComponentConfig instead of CLI flags
- Remove role and rolebinding RBAC configs
- Add new Gatekeeper operator API options
- Upgrade Operator Gatekeeper API to v1alpha2 HOT 1
- Consider migrating to using goreleaser for releasing the operator
- Collect logs at the end of GitHub Actions Workflow CI
- Use sigstore to add security to releases
- Add dependabot for automating updates to dependencies
- Add support for Gatekeeper v3.6
- OpenShift: use default opt-in namespace selector for webhook configs
- Update yaml used for tests and alm-examples
- Add HPA
- [Question] Is there any way to specify operators (greater / less than) within a mutation policy? HOT 2
- New release for operatorhub HOT 2
- openshift-multus: admission webhook "check-ignore-label.gatekeeper.sh" denied
- Client-side throttling, pod restarts - need to update client-go HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-operator.