You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was trying to create a composition for IRSA and faced one issue that is blocking the creation to progress.
defined/compositeresourcedefinition.apiextensions.crossplane.io (combined from similar events): cannot generate a name for composed resource "service-account": objects.kubernetes.crossplane.io "my-app-irsa-nfl8r-mgmzx" is forbidden: User "system:serviceaccount:crossplane-system:crossplane" cannot get resource "objects" in API group "kubernetes.crossplane.io" at the cluster scope
I customised it to remove from resourceConfig the provider name, so i can specify the provider per resource on composition, e.g. aws one for aws resources and kubernetes one for Object (service account), but the object one still going to crossplane service account.
I checked the crossplane sa cluster role and i don't see access to objects.*, so in theory RBAC missed this new provider and didn't give access to crossplane SA.
After creating a new binding to cluster-admin, it worked and SA was created.
What happened?
I was trying to create a composition for IRSA and faced one issue that is blocking the creation to progress.
defined/compositeresourcedefinition.apiextensions.crossplane.io (combined from similar events): cannot generate a name for composed resource "service-account": objects.kubernetes.crossplane.io "my-app-irsa-nfl8r-mgmzx" is forbidden: User "system:serviceaccount:crossplane-system:crossplane" cannot get resource "objects" in API group "kubernetes.crossplane.io" at the cluster scope
How can we reproduce it?
I'm using aws blueprints from this repo: https://github.com/awslabs/crossplane-on-eks/tree/main/compositions/aws-provider/irsa
I created a service account like the one below:
apiVersion: awsblueprints.io/v1alpha1 kind: IRSA metadata: name: my-app-irsa namespace: example-irsa spec: resourceConfig: region: my-region tags: - key: env value: test - key: anotherKey value: anotherValue awsAccountID: "accnumber" eksOIDC: "oidc" serviceAccountName: my-app-service-account policyArns: - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" - "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
I customised it to remove from resourceConfig the provider name, so i can specify the provider per resource on composition, e.g. aws one for aws resources and kubernetes one for Object (service account), but the object one still going to crossplane service account.
I checked the crossplane sa cluster role and i don't see access to objects.*, so in theory RBAC missed this new provider and didn't give access to crossplane SA.
After creating a new binding to cluster-admin, it worked and SA was created.
What am I missing here?
What environment did it happen in?
Crossplane version: 1.14.4
Cloud provider: AWS
Kubernetes: 1.25
Kubernetes distribution: EKS
The text was updated successfully, but these errors were encountered: