Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix KongLicense policy rule when using watch namespaces #1084

Merged
merged 3 commits into from
Jun 13, 2024
Merged

fix: fix KongLicense policy rule when using watch namespaces #1084

merged 3 commits into from
Jun 13, 2024

Conversation

pmalek
Copy link
Member

@pmalek pmalek commented Jun 11, 2024
edited
Loading

What this PR does / why we need it:

The KongLicense policy rule was incorrectly put into Role instead of the ClusterRole which causes KIC versions which have KongLicense controller enabled (3.1+) to issue errors:

2024-06-11 12:34:02.215	W0611 10:34:02.215528       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:02.215	E0611 10:34:02.215585       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:25.289	W0611 10:34:25.288829       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:25.289	E0611 10:34:25.289209       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:35:07.165	W0611 10:35:07.165101       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:35:07.165	E0611 10:35:07.165594       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope

This only came out when used with watchNamespaces because without it the ClusterRole contains both sets of policy rules.

And also given the fact that KongLicense is cluster scoped.

Which issue this PR fixes

Fixes #1083

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • PR is based off the current tip of the main branch.
  • Changes are documented under the "Unreleased" header in CHANGELOG.md
  • New or modified sections of values.yaml are documented in the README.md
  • Commits follow the Kong commit message guidelines

@pmalek pmalek self-assigned this Jun 11, 2024
@pmalek pmalek force-pushed the fix-konglicense-rbac-policy-rules branch from 97f96ad to 00282f5 Compare June 11, 2024 13:05
@pmalek pmalek mentioned this pull request Jun 11, 2024
Closed
@pmalek pmalek marked this pull request as ready for review June 11, 2024 13:08
@pmalek pmalek requested a review from a team as a code owner June 11, 2024 13:08
programmer04
programmer04 previously approved these changes Jun 11, 2024
View reviewed changes
@pmalek pmalek force-pushed the fix-konglicense-rbac-policy-rules branch from 00282f5 to 174ce3f Compare June 13, 2024 14:51
@pmalek pmalek enabled auto-merge (squash) June 13, 2024 15:19
@pmalek pmalek requested review from a team and rainest June 13, 2024 15:20
rainest
rainest previously approved these changes Jun 13, 2024
View reviewed changes
@rainest rainest force-pushed the fix-konglicense-rbac-policy-rules branch from b520908 to 5334893 Compare June 13, 2024 22:04
rainest
rainest previously approved these changes Jun 13, 2024
View reviewed changes
@rainest rainest force-pushed the fix-konglicense-rbac-policy-rules branch from 5334893 to 39c93c8 Compare June 13, 2024 22:06
@pmalek pmalek merged commit a04a49d into main Jun 13, 2024
33 checks passed
@pmalek pmalek deleted the fix-konglicense-rbac-policy-rules branch June 13, 2024 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rainest rainest rainest approved these changes

@programmer04 programmer04 programmer04 left review comments

Assignees

@pmalek pmalek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ingress Controller fails after update to chart version 2.37.1
3 participants
@pmalek @rainest @programmer04