ClusterRole & ClusterRoleBindings for istio-csr #224
Description
It is always required to have clusterrole and clusterrolebinding for certi-manager-istio-csr deployment. I tried to convert clusterrole and clusterrolebindings into role and rolebinding to have istio-csr per namespace. But things are not working as expected.
Role Rules:
rules:
- apiGroups:
- cert-manager.io
resources: - certificaterequests
verbs: - get
- list
- create
- update
- delete
- watch
- cert-manager.io
- apiGroups:
- ""
resources: - events
verbs: - create
- ""
- apiGroups:
- ""
resources: - configmaps
verbs: - get
- list
- create
- update
- watch
- ""
- apiGroups:
- ""
resources: - namespaces
verbs: - get
- list
- watch
- ""
- apiGroups:
- authentication.k8s.io
resources: - tokenreviews
verbs: - create
- authentication.k8s.io
name: ns1-istio-csr
namespace: ns1
resourceVersion: "3964"
uid: d8f7fa1b-ef26-4726-80fd-d66bcccf7071
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ns1-istio-csr
subjects:
- kind: ServiceAccount
name: ns1-istio-csr
namespace: ns1 - kind: ServiceAccount
name: ns1-istio-csr
namespace: istio-system
istio-csr arguments adjusted to namespace as below
controller
- "--leader-election-namespace=ns1"
- "--configmap-namespace-selector=kubernetes.io/metadata.name=ns1"
cert-manager
- "--certificate-namespace=ns1"
- "--issuer-name=istio-ca"
- "--issuer-kind=Issuer"
- "--issuer-group=cert-manager.io"
- "--preserve-certificate-requests=false"
Associated a service account : ns1:ns1-istio-csr to istio-csr pod , but still getting below errors. Could someone help me to fix this issue w/0 cluster scoped roles and rolebindings
m:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:13.077264Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:13.077374Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:13.077402Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:14.250575Z info klog Listing and watching *v1.PartialObjectMetadata from pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229
2023-12-06T11:56:14.251608Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:14.251680Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: configmaps is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "configmaps" in API group "" at the cluster scope
2023-12-06T11:56:14.314131Z info klog Listing and watching *v1.Namespace from pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229
2023-12-06T11:56:14.316292Z info klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope
2023-12-06T11:56:14.316690Z error klog pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:ns1:ns1-istio-csr" cannot list resource "namespaces" in API group "" at the cluster scope