Charts: [stable/kubernetes-dashboard] permissions secret when rbac.clusterReadOnlyRole=True

Created on 28 Jun 2019  Â·  11Comments  Â·  Source: helm/charts

Describe the bug
when using --set rbac.clusterReadOnlyRole=True, the pod logs crash with error:

panic: secrets is forbidden: User "system:serviceaccount:kube-system:dashboard-kubernetes-dashboard" cannot create resource "secrets" in API group "" in the namespace "kube-system"
goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.(*rsaKeyHolder).init(0xc4204e30c0)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:131 +0x35e
github.com/kubernetes/dashboard/src/app/backend/auth/jwe.NewRSAKeyHolder(0x1367500, 0xc420324c60, 0xc420324c60, 0x1213a6e)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/auth/jwe/keyholder.go:170 +0x64
main.initAuthManager(0x13663e0, 0xc4203259e0, 0xc4204c7cd8, 0x1)
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:185 +0x12c
main.main()
        /home/travis/build/kubernetes/dashboard/.tmp/backend/src/github.com/kubernetes/dashboard/src/app/backend/dashboard.go:103 +0x26b

Version of Helm and Kubernetes:
k8s 1.15
helm

Which chart:
kubernetes-dashboard-1.5.3 1.10.1

What happened:
It works with full cluster admin but not with the ReadOnly one.

What you expected to happen:
work

How to reproduce it (as minimally and precisely as possible):

helm delete --purge dashboard 
kubectl -n kube-system delete secret kubernetes-dashboard-key-holder

helm install --name dashboard stable/kubernetes-dashboard --namespace kube-system --set rbac.create=True --set rbac.clusterReadOnlyRole=True

Anything else we need to know:

IMPORTANT NOTE:
If the chart was installed previously with ClusterAdminRole, clusterReadOnlyRole seems to be ok.
But if it's the first time the chart is getting installed, there will be above errors.
Reason: kubernetes-dashboard-key-holder secret is not getting deleted by helm delete --purge <>

There were previous issues, most were closed. It might be it was fixed before but now comes again.

3104

4102

5493

14289

https://github.com/helm/charts/pull/12496/files#diff-814573c2b6c423b43e4c90eb469a41c8

lifecyclstale
Source
picture ReSearchITEng
👍13 👀1

Most helpful comment

still valid...

picture ReSearchITEng on 6 Aug 2019
👍5

All 11 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 28 Jul 2019

still valid...

ReSearchITEng picture ReSearchITEng on 6 Aug 2019
👍5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 5 Sep 2019

The problem is caused by missing permissions. There are two possible solutions:

Solution 1:

Add the rolebing for the role.
Needed changes for this are in https://github.com/helm/charts/blob/master/stable/kubernetes-dashboard/templates/rolebinding.yaml:

Line 3+4:

{{- if or .Values.rbac.clusterAdminRole .Values.rbac.clusterReadOnlyRole }}
# Cluster role binding for clusterAdminRole == true or clusterReadOnlyRole=true

==>

{{- if .Values.rbac.clusterAdminRole }}
# Cluster role binding for clusterAdminRole == true

and Line 27:

# Role binding for clusterAdminRole == false and clusterReadOnlyRole=false

==>

# Role binding for clusterAdminRole == false

Solution 2:

Add Verb create to two resources in clusterrole-readonly https://github.com/helm/charts/blob/master/stable/kubernetes-dashboard/templates/clusterrole-readonly.yaml:

Line 21 - 24:

```
verbs:
- get
- update
- delete

==>
 ```
    verbs:
      - get
      - create
      - update
      - delete

and Line 33 - 35:

```
verbs:
- get
- update

==>
 ```
    verbs:
      - get
      - create
      - update

Quickfix, when deployed in Namespace kube-system:

kubectl create rolebinding kubernetes-dashboard --role=kubernetes-dashboard --serviceaccount=kube-system:kubernetes-dashboard --namespace=kube-system
benarnold42 picture benarnold42 on 9 Sep 2019

You don't need to add permissions if you create the secret, similarly to how one secret is created already: https://github.com/helm/charts/blob/de8f4384226b70ea1c479acc7ff24562648c3adc/stable/kubernetes-dashboard/templates/secret.yaml

apiVersion: v1
kind: Secret
metadata:
  labels:
    app: kubernetes-dashboard
    chart: kubernetes-dashboard-1.8.0
    heritage: Tiller
    release: backbone
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: Opaque

I think this should make its way to secret.yaml.

karolinepauls picture karolinepauls on 13 Sep 2019
👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 13 Oct 2019

still valid...
When the secret is created, the rolebinding is still missing.

benarnold42 picture benarnold42 on 16 Oct 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 15 Nov 2019

issue is still thre.

On Fri, Nov 15, 2019 at 11:26 AM stale[bot] notifications@github.com
wrote:

This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Any
further update will cause the issue/pull request to no longer be considered
stale. Thank you for your contributions.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/helm/charts/issues/15118?email_source=notifications&email_token=ABXDOMYD7TP6OWBDGAT64VTQTZTNVA5CNFSM4H4EWOS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEE2ZNQ#issuecomment-554282166,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABXDOMY6ICB5HOHDIN23VVLQTZTNVANCNFSM4H4EWOSQ
.

ReSearchITEng picture ReSearchITEng on 22 Nov 2019
👀10

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 22 Dec 2019

This issue is being automatically closed due to inactivity.

stale[bot] picture stale[bot] on 5 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jungopro picture jungopro  Â·  3Comments
donkeyx picture donkeyx  Â·  3Comments
musabmasood picture musabmasood  Â·  3Comments
michas2 picture michas2  Â·  3Comments
ChrisCooney picture ChrisCooney  Â·  3Comments