Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

l2announcements and default manifests #89

Open
eutsigoiari opened this issue Mar 14, 2024 · 0 comments
Open

l2announcements and default manifests #89

eutsigoiari opened this issue Mar 14, 2024 · 0 comments

Comments

@eutsigoiari
Copy link

Hi,

In an OCP/OKD cluster rollout using the default manifests and trying to enable l2announcements with the next extra config:

  kubeProxyReplacement: true
  k8sServiceHost: api-int.mycluster.mydomain.com
  k8sServicePort: '6443'
  k8sClientRateLimit:
    qps: 2
    burst: 4
  l2announcements:
    enabled: true

Cilium is not properly deployed since the cluster role with leases resource from coordination API does not have all the needed verbs :

2024-03-14T13:55:28Z ERROR helm.controller Release failed {"namespace": "cilium", "name": "cilium", "apiVersion": "cilium.io/v1alpha1", "kind": "CiliumConfig", "release": "cilium", "error": "failed to install release: 2 errors occurred:\n\t* clusterroles.rbac.authorization.k8s.io "cilium" is forbidden: user "system:serviceaccount:cilium:cilium-olm" (groups=["system:serviceaccounts" "system:serviceaccounts:cilium" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:["coordination.k8s.io"], Resources:["leases"], Verbs:["list" "delete"]}\n\t* clusterroles.rbac.authorization.k8s.io "cilium" not found\n\n"}

2024-03-14T13:55:28Z ERROR Reconciler error {"controller": "ciliumconfig-controller", "object": {"name":"cilium","namespace":"cilium"}, "namespace": "cilium", "name": "cilium", "reconcileID": "af7a17fd-1a47-456c-a4e3-b55439b98e8e", "error": "failed to install release: 2 errors occurred:\n\t* clusterroles.rbac.authorization.k8s.io "cilium" is forbidden: user "system:serviceaccount:cilium:cilium-olm" (groups=["system:serviceaccounts" "system:serviceaccounts:cilium" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:["coordination.k8s.io"], Resources:["leases"], Verbs:["list" "delete"]}\n\t* clusterroles.rbac.authorization.k8s.io "cilium" not found\n\n"}

cluster-network-06-cilium-00009-cilium-cilium-clusterrole.yaml lacks those list and delete verbs for the leases resource.

If I got it correctly those manifests are created using the cue files so, the fix could be just:

diff --git a/config/operator/rbac.cue b/config/operator/rbac.cue
index d17e131..ad7be47 100644
--- a/config/operator/rbac.cue
+++ b/config/operator/rbac.cue
@@ -151,6 +151,8 @@ _ciliumClusterRules: [
                        "create",
                        "get",
                        "update",
+                       "list",
+                       "delete",
                ]
        },
        {

I could do the PR myself if you think this is the correct way to fix it.

On the other hand the operator chart/templates of the cilium-agent are apparently correct from the very beginning as far as I could see.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eutsigoiari