Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] specifying user defined SA when creatiing cluster, the SA should be granted with certain ROLES to perform actions. #8125

Open
shanshanying opened this issue Sep 11, 2024 · 0 comments
Open

[BUG] specifying user defined SA when creatiing cluster, the SA should be granted with certain ROLES to perform actions. #8125

shanshanying opened this issue Sep 11, 2024 · 0 comments
Assignees
@xuriwuyun
Labels
kind/bug Something isn't working
Milestone
Release 0.9.2

Comments

@shanshanying
Copy link
Contributor

To Reproduce
Steps to reproduce the behavior:

  1. create an SA, e.g. 'workload-identity-sa'
  2. create a redis cluster with the sa
apiVersion: apps.kubeblocks.io/v1alpha1
kind: Cluster
metadata:
  name: redis-replication-cluster
spec:
  clusterDefinitionRef: redis
  topology: replication
  terminationPolicy: Delete
  componentSpecs:
  - name: redis
    replicas: 2
    disableExporter: true
    serviceAccountName: "workload-identity-sa"
    resources:
      limits:
        cpu: '1'
        memory: 1Gi
      requests:
        cpu: '0.5'
        memory: 0.5Gi
    volumeClaimTemplates:
    - name: data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
  - name: redis-sentinel
    serviceAccountName: "workload-identity-sa"
    replicas: 3
    resources:
      limits:
        cpu: '0.5'
        memory: 0.5Gi
      requests:
        cpu: '0.5'
        memory: 0.5Gi
    volumeClaimTemplates:
    - name: data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
  1. check SA and roles, e.g. can
    k auth can-i list pods --as=system:serviceaccount:default:workload-identity-sa -n default
    the answer is 'NO'. and the expected answer is 'YES', otherwise 'lorry' sidecart fails.
@shanshanying shanshanying added the kind/bug Something isn't working label Sep 11, 2024
@shanshanying shanshanying modified the milestone: Release 0.9.1 Sep 11, 2024
@shanshanying shanshanying added this to the Release 0.9.2 milestone Sep 26, 2024
@github-actions github-actions bot modified the milestones: Release 0.9.2, Release 0.8.5 Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xuriwuyun xuriwuyun

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
Release 0.9.2
Development

No branches or pull requests
2 participants
@xuriwuyun @shanshanying