Comments (10)
Have you created a ClusterRole like this?
And a ClusterRoleBinding that gives permission like this?
from kcp.
Hi @ncdc
Yes i did.
k get clusterrole
NAME CREATED AT
system:kcp:apiexport:workload:bind 2023-04-10T15:37:03Z
k get clusterrolebinding
NAME ROLE AGE
system:kcp:authenticated:apiexport:workload:bind ClusterRole/system:kcp:apiexport:workload:bind 42s
workspace-admin ClusterRole/cluster-admin 2m31s
from kcp.
Please share the yaml for your ClusterRole - thanks
from kcp.
Please find the yaml below, its almost the same one.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:kcp:apiexport:workload:bind
rules:
- apiGroups: ["apis.kcp.io"]
resources:
- "apiexports"
resourceNames:
- "workload.kcp.io"
verbs: ["bind"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kcp:authenticated:apiexport:workload:bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kcp:apiexport:workload:bind
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
from kcp.
The resourceNames
entry has to match the name of your APIExport. From the error no permission to bind to export root:my-ws:kubernetes
, it appears your APIExport's name is kubernetes
. Please try adjusting the ClusterRole and replace
resourceNames:
- "workload.kcp.io"
with
resourceNames:
- "kubernetes"
I would also recommend you change the metadata.names for the ClusterRole and ClusterRoleBinding (along with the roleRef.name) to something that is specific to your setup (system:kcp:apiexport:workload:bind and system:kcp:authenticated:apiexport:workload:bind are names we created in kcp for system components).
from kcp.
Hi @ncdc
Updated with below and still the same issue.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: testcrname1
rules:
- apiGroups: [“apis.kcp.io”]
resources:
- “apiexports”
resourceNames:
- “kubernetes”
verbs: [“bind”]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: testcrbindingname1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testcrname1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated```
Issue:
"failed to create the APIBinding in workspace root:apps: apibindings.apis.kcp.io \"kubernetes-zoa19yed\" is forbidden: unable to create APIBinding: no permission to bind to export root:infrastructure:kubernetes",
Could you kindly tell me If I'm missing anything here?
from kcp.
Could you please share the exact output from:
kubectl get clusterole/testcrname1 -oyaml
kubectl get clusterrolebinding/testcrbindingname1 -oyaml
from kcp.
Kindly find the output below:
k get clusterrole.rbac.authorization.k8s.io/testcrname1 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kcp.io/cluster: root
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"testcrname1"},"rules":[{"apiGroups":["“apis.kcp.io”"],"resourceNames":["“kubernetes”"],"resources":["“apiexports”"],"verbs":["“bind”"]}]}
creationTimestamp: "2023-04-26T02:48:31Z"
name: testcrname1
resourceVersion: "336"
uid: 985d0b6f-21ff-43f4-961b-ff34ab41894e
rules:
- apiGroups:
- “apis.kcp.io”
resourceNames:
- “kubernetes”
resources:
- “apiexports”
verbs:
- “bind”
kubectl get clusterrolebinding/testcrbindingname1 -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kcp.io/cluster: root
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"testcrbindingname1"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"testcrname1"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:authenticated"}]}
creationTimestamp: "2023-04-26T02:48:31Z"
name: testcrbindingname1
resourceVersion: "337"
uid: b5be00b6-2630-47ef-a1bb-dbe78c1ae40d
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testcrname1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
from kcp.
It looks like you've created these in the root
workspace. Instead, please try placing them in the workspace where your kubernetes
APIExport
lives, which I believe is root:infrastructure
?
from kcp.
Closing since there has not been a response, please reopen if it is still an unresolved issue.
from kcp.
Related Issues (20)
- Community Meeting July 6 2023 HOT 9
- Community Meeting July 20, 2023 HOT 3
- Investigate failing tests pull-kcp-test-e2e-shared, pull-kcp-test-e2e-sharded, pull-kcp-lint HOT 1
- Community Meeting August 10, 2023 HOT 7
- Community Meeting August 17, 2023 (canceled) HOT 3
- Community Meeting August 31, 2023 HOT 4
- epic: Kubernetes 1.28 HOT 1
- Community Meeting September 14, 2023 HOT 2
- bug: `kubectl-ws '~'` changes hostname used in kubeconfig server URL HOT 10
- Community Meeting September 28, 2023 HOT 3
- bug: leaking memory and goroutines HOT 8
- Pointer: NFD Feature request for MultiCluster environments HOT 1
- bug: no v0.21.0 image published HOT 2
- bug: High CPU and memory consumption HOT 2
- bug: Wire in dev certificate for mounts in `kcp start` HOT 2
- epic: Kubernetes 1.30
- feature: add kcp-controller-manager standalone binary
- bug: Use kcp start command HOT 1
- bug: ServiceAccount token access leak HOT 2
- bug: ws tree does not work for home clusters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kcp.