Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix rbac issue in rbd plugin #234

Merged
merged 2 commits into from
Feb 27, 2019
Merged

Fix rbac issue in rbd plugin #234

merged 2 commits into from
Feb 27, 2019

Conversation

Madhu-1
Copy link
Collaborator

@Madhu-1 Madhu-1 commented Feb 27, 2019

@Madhu-1
Fix rbac issue in rbd plugin
f4a0726 
remove unwanted rules and update
rbac to have permission to modify
endpoints and configmaps in the
current namespace.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
rootfs
rootfs reviewed Feb 27, 2019
View reviewed changes
deploy/rbd/kubernetes/csi-attacher-rbac.yaml
@@ -10,9 +10,6 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-attacher-runner
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "update"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add this too?
https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml#L31

rootfs
rootfs reviewed Feb 27, 2019
View reviewed changes
deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "create", "update"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml#L47

@Madhu-1
add csinodeinfos rules
2ab1f3e 
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
@Madhu-1
Copy link
Collaborator Author

Madhu-1 commented Feb 27, 2019

@rootfs done PTAL

@rootfs
Copy link
Member

rootfs commented Feb 27, 2019

@Madhu-1 thanks, can you update these rbd in Rook as well?

@rootfs rootfs merged commit 5cabfe7 into ceph:csi-v1.0 Feb 27, 2019
kfox1111
kfox1111 reviewed Feb 27, 2019
View reviewed changes
Copy link
Contributor

@kfox1111 kfox1111 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, but needs a helm version bump.

@Madhu-1 Madhu-1 mentioned this pull request Feb 28, 2019
Closed
5 tasks
@dylanzr
Copy link
Contributor

dylanzr commented Mar 2, 2019

I get errors due to the removal of events from the provisioner. We're managing volumes outside of the namespace where the CSI components live. Is this something that should be added back for the provisioner?

E0302 22:02:07.575764       1 event.go:203] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"golden-centos76.1588435a7e57ee35", GenerateName:"", Namespace:"golden-images", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"golden-images", Name:"golden-centos76", UID:"d2110b53-3d36-11e9-88bd-0a580a80000c", APIVersion:"v1", ResourceVersion:"18717044", FieldPath:""}, Reason:"ProvisioningSucceeded", Message:"Successfully provisioned volume pvc-d2110b53-3d36-11e9-88bd-0a580a80000c", Source:v1.EventSource{Component:"csi-rbdplugin_csi-rbdplugin-provisioner-0_4bc15f22-3d36-11e9-93ba-da75cd15e5f4", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbf16dd37e244f835, ext:231754289826, loc:(*time.Location)(0x227cd40)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbf16dd37e244f835, ext:231754289826, loc:(*time.Location)(0x227cd40)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:default:rbd-csi-provisioner" cannot create resource "events" in API group "" in the namespace "golden-images"' (will not retry!)

Madhu-1 added a commit to Madhu-1/ceph-csi that referenced this pull request Mar 4, 2019
@Madhu-1
add event rules for provisioner
2df73e5 
Fixes: #ceph#234 (comment)

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
@Madhu-1 Madhu-1 mentioned this pull request Mar 4, 2019
Merged
mergify bot pushed a commit that referenced this pull request Mar 4, 2019
@Madhu-1 @mergify
add event rules for provisioner
c074548 
Fixes: ##234 (comment)

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
wilmardo pushed a commit to wilmardo/ceph-csi that referenced this pull request Jul 29, 2019
@rootfs
Merge pull request ceph#234 from Madhu-1/fix-rbac
e810180 
Fix rbac issue in rbd plugin
wilmardo pushed a commit to wilmardo/ceph-csi that referenced this pull request Jul 29, 2019
@Madhu-1 @mergify
add event rules for provisioner
62c2505 
Fixes: #ceph#234 (comment)

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
yati1998 pushed a commit to yati1998/ceph-csi that referenced this pull request Feb 20, 2024
@openshift-merge-bot
Merge pull request ceph#234 from red-hat-storage/sync_ds--release-v3.10
9033b8d 
Syncing latest changes from release-v3.10 for ceph-csi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kfox1111 kfox1111 kfox1111 left review comments

@rootfs rootfs rootfs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Madhu-1 @rootfs @dylanzr @kfox1111