Issue
Setting up CloudBees CI with Controller in different namespace.
Form validation for “namespace” field always displays this warning Unable to validate. Maybe the deployment lacks read privilege on the given namespace.
when you type in a namespace.
This occurs for any namespace whether it exists or not.
Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
Related Issue(s)
- CPLT2-6962: CJOC controller-management clusterrole needs namespace get, list permission
Resolution
During form validation the CJOC service account is used to check for the existence of the namespace entered in the namespace field in the Managed Controller configuration page.
This helps prevent trying to configure Controller in a non-existent namespace.
However, the current clusterrole deployed for the CJOC service account does not include permission to list and get namespaces which causes the check to fail and the warning to be displayed.
Workaround
The current workaround is to add get and list permissions for namespaces to clusterrole cjoc-controller-management-cloudbees
.
This clusterrole is deployed as part for initial deployment of CBCI and is used to grant permissions to CJOC service account on storage classe resources.
- Confirm the existence of the clusterrole with
kubectl get clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE
command - Edit clusterrole with
kubectl edit clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE
command. - Add below rules to clusterrole
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- Confirm permissions are added correctly. If properly done the
kubectl get clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE
should look like below.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: cloudbees
meta.helm.sh/release-namespace: cloudbees
creationTimestamp: "2020-12-22T07:55:36Z"
labels:
app.kubernetes.io/instance: cloudbees
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cloudbees-core
helm.sh/chart: cloudbees-core-3.20.0_7393ca8fd6d0
name: cjoc-master-management-cloudbees
resourceVersion: "10616366"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cjoc-master-management-cloudbees
uid: 134a85be-442b-11eb-a8c0-0233ecf47d44
rules:
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
0 Comments