[Ansible-service-broker] cluster-role escalation
John Matthews
jmatthew at redhat.com
Wed Jan 31 11:13:20 UTC 2018
Mo,
Do you have any thoughts on the issue Ryan mentions below on being unable
to create a rolebinding that is cluster-admin?
For background, this is for enabling the Broker to deploy APBs that will
modify cluster infrastructure...not a typical application/service but
special APBs that require extra privileges.
On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey <rhallise at redhat.com> wrote:
> Karim,
>
> I think I have a workaround patch that will get provision working for
> the kubevirt-apb. Instructions for how to test it are in the commit
> message.
>
> https://github.com/rthallisey/ansible-service-broker/commit/
> f27e0538959c43d47d2ff80bba1e894f2249ad62
>
> To summarize for folks what I think is happening. We need the apb to
> have the cluster-admin role so it can create cluster-roles. To do
> this, set sandbox_role: cluster-admin, auto_escalate: true, and make
> the asb user cluster-admin. Then when you provision, you'll hit this
> issue: https://github.com/openshift/ansible-service-broker/issues/711.
> The rolebinding fails to create with the error:
> rolebindings.rbac.authorization.k8s.io
> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to
> grant extra privileges.
> It seems that we can't create a rolebinding that is cluster-admin.
> I'm still exploring for the reason why it fails, but my theory is that
> the cluster-admin role gives access outside the scope of a role so it
> requires a clusterrolebinding. With the clusterrolebinding created
> with cluster-admin permissions, I was able to create cluster-resources
> from the apb.
>
> Thanks,
> -Ryan
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180131/95386a16/attachment.htm>
More information about the Ansible-service-broker
mailing list