Comments (10)
ncdc
commented on June 1, 2024
Have you created a ClusterRole like this?
And a ClusterRoleBinding that gives permission like this?
from kcp.
dilipmighty245
commented on June 1, 2024
Hi @ncdc
Yes i did.
k get clusterrole
NAME CREATED AT
system:kcp:apiexport:workload:bind 2023-04-10T15:37:03Z
k get clusterrolebinding
NAME ROLE AGE
system:kcp:authenticated:apiexport:workload:bind ClusterRole/system:kcp:apiexport:workload:bind 42s
workspace-admin ClusterRole/cluster-admin 2m31s
from kcp.
ncdc
commented on June 1, 2024
Please share the yaml for your ClusterRole - thanks
from kcp.
dilipmighty245
commented on June 1, 2024
Please find the yaml below, its almost the same one.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:kcp:apiexport:workload:bind
rules:
- apiGroups: ["apis.kcp.io"]
resources:
- "apiexports"
resourceNames:
- "workload.kcp.io"
verbs: ["bind"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kcp:authenticated:apiexport:workload:bind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kcp:apiexport:workload:bind
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
from kcp.
ncdc
commented on June 1, 2024
The resourceNames entry has to match the name of your APIExport. From the error no permission to bind to export root:my-ws:kubernetes, it appears your APIExport's name is kubernetes. Please try adjusting the ClusterRole and replace
resourceNames:
- "workload.kcp.io"
with
resourceNames:
- "kubernetes"
I would also recommend you change the metadata.names for the ClusterRole and ClusterRoleBinding (along with the roleRef.name) to something that is specific to your setup (system:kcp:apiexport:workload:bind and system:kcp:authenticated:apiexport:workload:bind are names we created in kcp for system components).
from kcp.
dilipmighty245
commented on June 1, 2024
Hi @ncdc
Updated with below and still the same issue.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: testcrname1
rules:
- apiGroups: [“apis.kcp.io”]
resources:
- “apiexports”
resourceNames:
- “kubernetes”
verbs: [“bind”]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: testcrbindingname1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testcrname1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated```
Issue:
"failed to create the APIBinding in workspace root:apps: apibindings.apis.kcp.io \"kubernetes-zoa19yed\" is forbidden: unable to create APIBinding: no permission to bind to export root:infrastructure:kubernetes",
Could you kindly tell me If I'm missing anything here?
from kcp.
ncdc
commented on June 1, 2024
Could you please share the exact output from:
kubectl get clusterole/testcrname1 -oyaml
kubectl get clusterrolebinding/testcrbindingname1 -oyaml
from kcp.
dilipmighty245
commented on June 1, 2024
Kindly find the output below:
k get clusterrole.rbac.authorization.k8s.io/testcrname1 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kcp.io/cluster: root
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"testcrname1"},"rules":[{"apiGroups":["“apis.kcp.io”"],"resourceNames":["“kubernetes”"],"resources":["“apiexports”"],"verbs":["“bind”"]}]}
creationTimestamp: "2023-04-26T02:48:31Z"
name: testcrname1
resourceVersion: "336"
uid: 985d0b6f-21ff-43f4-961b-ff34ab41894e
rules:
- apiGroups:
- “apis.kcp.io”
resourceNames:
- “kubernetes”
resources:
- “apiexports”
verbs:
- “bind”
kubectl get clusterrolebinding/testcrbindingname1 -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kcp.io/cluster: root
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"testcrbindingname1"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"testcrname1"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:authenticated"}]}
creationTimestamp: "2023-04-26T02:48:31Z"
name: testcrbindingname1
resourceVersion: "337"
uid: b5be00b6-2630-47ef-a1bb-dbe78c1ae40d
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testcrname1
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
from kcp.
ncdc
commented on June 1, 2024
It looks like you've created these in the root workspace. Instead, please try placing them in the workspace where your kubernetes APIExport lives, which I believe is root:infrastructure?
from kcp.
embik
commented on June 1, 2024
Closing since there has not been a response, please reopen if it is still an unresolved issue.
from kcp.
Related Issues (20)
- Community Meeting July 6 2023 HOT 9
- Community Meeting July 20, 2023 HOT 3
- Investigate failing tests pull-kcp-test-e2e-shared, pull-kcp-test-e2e-sharded, pull-kcp-lint HOT 1
- Community Meeting August 10, 2023 HOT 7
- Community Meeting August 17, 2023 (canceled) HOT 3
- Community Meeting August 31, 2023 HOT 4
- epic: Kubernetes 1.28 HOT 1
- Community Meeting September 14, 2023 HOT 2
- bug: `kubectl-ws '~'` changes hostname used in kubeconfig server URL HOT 10
- Community Meeting September 28, 2023 HOT 3
- bug: leaking memory and goroutines HOT 8
- Pointer: NFD Feature request for MultiCluster environments HOT 1
- bug: no v0.21.0 image published HOT 2
- bug: High CPU and memory consumption HOT 2
- bug: Wire in dev certificate for mounts in `kcp start` HOT 2
- epic: Kubernetes 1.30
- feature: add kcp-controller-manager standalone binary
- bug: Use kcp start command HOT 1
- bug: ServiceAccount token access leak HOT 2
- bug: ws tree does not work for home clusters HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kcp.