Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Controller is missing permissions when deployed with statfulsetRunner.include: false #3495

Open
pbusko opened this issue Sep 27, 2024 · 0 comments · May be fixed by #3522
Open

[Bug]: Controller is missing permissions when deployed with statfulsetRunner.include: false #3495

pbusko opened this issue Sep 27, 2024 · 0 comments · May be fixed by #3522
Labels
bug Something isn't working

Comments

@pbusko
Copy link
Contributor

pbusko commented Sep 27, 2024

What happened?

When Korifi is deployed with statfulsetRunner.include: false Helm value, the controller fails during org creation:

{
  "severity": "ERROR",
  "timestamp": "2024-09-27T11:28:45.693575631Z",
  "caller": "controller/controller.go:324",
  "message": "Reconciler error",
  "controller": "cforg",
  "controllerGroup": "korifi.cloudfoundry.org",
  "controllerKind": "CFOrg",
  "CFOrg":
    {
      "name": "cf-org-7f20fd9e-4ada-4ce9-a9e3-0dd5c47ce8cd",
      "namespace": "cf"
    },
  "namespace": "cf",
  "name": "cf-org-7f20fd9e-4ada-4ce9-a9e3-0dd5c47ce8cd",
  "reconcileID": "0d06b5bd-7bf4-4832-99f1-7a2702b5e1ed",
  "error": "error propagating role-bindings: rolebindings.rbac.authorization.k8s.io \"default-admin-binding\" is forbidden: user \"system:serviceaccount:korifi:korifi-controllers-controller-manager\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:korifi\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"korifi.cloudfoundry.org\"], Resources:[\"runnerinfos\"], Verbs:[\"get\" \"list\" \"watch\"]}",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"
}

What you expected to happen

Org should be created successfully.

Acceptance Criteria

There should be no exceptions when replaceable controllers are disabled (statefulset-runner, kpack-image-builder and job-task-runner)

How to reproduce it (as minimally and precisely as possible)

Deploy Korifi with statfulsetRunner.include: false Helm value

Anything else we need to know?

Issue might not be only limited to org creation, all missing permissions from https://github.com/cloudfoundry/korifi/blob/a3d4864431d07b05d38c31037d30e6a1735a4478/helm/korifi/statefulset-runner/role.yaml should be considered

Environment

Revision of codebase: 3c82b9f
Deployed on kind
@pbusko pbusko added the bug Something isn't working label Sep 27, 2024
@pbusko pbusko linked a pull request Oct 16, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Korifi - Backlog
Status: 🧊 Icebox
Milestone
No milestone
1 participant
@pbusko