Skip to content

Conversation

solsson
Copy link
Contributor

@solsson solsson commented Aug 2, 2017

API use from within pods gets permission denied with Kubernetes 1.7 on GKE. RBAC makes sense and we should learn to use it. Docs are ok but thin on conventions. I searched around but I guess the role and service account naming needs discussion.

I failed to get curl calls like in #39 to auth as system:serviceaccount:kafka:kafka but kubectl solved that and also makes it handy to extract a label value.

solsson added 9 commits August 2, 2017 12:53
adding myself to cluster-admin clusterrole
instead of curl. Could it be that curl is based on Alpine?
but be prepared for misleading error messages (for an RBAC noob like me)
when your operation does not match the Role's rights:

```
root@test-rack-awareness-267009956-k0ffs:/opt/kafka# kubectl get pod $HOSTNAME
NAME                                  READY     STATUS    RESTARTS   AGE
test-rack-awareness-267009956-k0ffs   1/1       Running   0          14m
root@test-rack-awareness-267009956-k0ffs:/opt/kafka# kubectl get pods
Error from server (Forbidden): User "system:serviceaccount:kafka:kafka" cannot list pods in the namespace "kafka".: "Unknown user \"system:serviceaccount:kafka:kafka\"" (get pods)
```
and service account for debugging
@solsson
Copy link
Contributor Author

solsson commented Aug 2, 2017

TODO make init container fast again by switching to an image with kubectl, but beware of 56f0f9c and b3a6bbc

@solsson solsson mentioned this pull request Aug 3, 2017
@solsson
Copy link
Contributor Author

solsson commented Aug 3, 2017

Without serviceAccountName: kafka kubectl tries system:serviceaccount:kafka:default so maybe we should name the ServiceAccount default so RBAC can be setup without affecting the kafka manifest.

@solsson
Copy link
Contributor Author

solsson commented Aug 5, 2017

With #59 RBAC has no effect on core manifests, and works in-container with curl.

@solsson solsson closed this Aug 5, 2017
solsson added a commit that referenced this pull request Jan 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant