Terraform-provider-kubernetes: kubernetes_cluster_role_binding & kubernetes_role_binding adding namespace when subject kind is Group
Hi
When applying a clusterrolebinding or rolebinding where the subject kind is Group, there should not be a namespace as a group is not a namespaced resource.
There's documentation here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-examples
Terraform Version
Terraform v0.12.16
- provider.aws v2.42.0
- provider.kubernetes v1.10.0
Affected Resource(s)
Please list the resources as a list, for example:
- kubernetes_cluster_role_binding
- kubernetes_role_binding
Terraform Configuration Files
resource "kubernetes_cluster_role_binding" "developer_cluster" {
metadata {
name = "company-developer"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.developer_cluster.metadata.0.name
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "Group"
name = "company:developer"
}
}
resource "kubernetes_role_binding" "developer_namespace" {
metadata {
name = "company-developer"
namespace = kubernetes_namespace.app.metadata.0.name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.developer_namespace.metadata.0.name
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "Group"
name = "company:developer"
}
}
Expected Behavior
The subject blocks of the role bindings should be created as per the config without a namespace.
Actual Behavior
The role bindings were created and the namespace field was added with a value of default.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
antonosmond
All 8 comments
If it helps I ran with log level set to TRACE and noticed this in the logs:
2019/12/17 12:46:44 [WARN] Provider "kubernetes" produced an invalid plan for kubernetes_cluster_role_binding.developer_cluster, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .subject[0].namespace: planned value cty.StringVal("default") does not match config value cty.NullVal(cty.String)
2019/12/17 12:46:44 [WARN] Provider "kubernetes" produced an invalid plan for kubernetes_role_binding.developer_namespace, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .subject[0].namespace: planned value cty.StringVal("default") does not match config value cty.NullVal(cty.String)
Same issue. Looks related with #713.
Terraform v0.12.21
- provider.kubernetes v1.11.1
Ranger-X
on 6 Mar 2020
Same issue, same log as above when run with TF_LOG=TRACE.
- Terraform v0.12.6
- provider.kubernetes v1.11.3
jharshman
on 25 Jun 2020
Same issue, unwanted namespace attribute is present for Group kind.
Terraform v0.13.4
provider.kubernetes v1.13.2
alex-karpenko
on 2 Oct 2020
Hi. I discovered a work-around. Even though the documentation says that for kind: Group, namespace is a property that is not available. If you set namespace="" for kind: Group, then the resultant clusterrolebinding for kind: Group doesn't have namespace as a property, as it should.
I'm using terraform v 0.12.28
Example:
resource "kubernetes_cluster_role_binding" "cluster-superusers" {
metadata {
name = "cluster-superusers"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-superusers"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
namespace = ""
api_group = "rbac.authorization.k8s.io"
}
}
jeffreylutz
on 2 Oct 2020
I confirm this also happens for
terraform v0.13.5
hashicorp/kubernetes v1.13.3
flmmartins
on 4 Dec 2020
The same happens when kind User is specified. Terraform tries to add an undesired namespace.
subject {
kind = "User"
name = "myuser"
api_group = "rbac.authorization.k8s.io"
}
output from the plan
~ subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = "myuser"
+ namespace = "default"
}
my terraform informaiton.
Terraform v0.12.29
provider.kubernetes v1.13.3
mozz-lx
on 19 Dec 2020
Still happening with the latest Kubernetes provider 2.0.2. Also confirming that the workaround works with specifying:
namespace = ""
spikewang
on 23 Mar 2021
Related issues
pdecat
路
4Comments
noahbirrer-8451
路
3Comments
dmitry-mightydevops
路
3Comments
![hashibot[bot] picture](https://avatars.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
路
4Comments
burdiyan
路
4Comments
Most helpful comment
Hi. I discovered a work-around. Even though the documentation says that for kind: Group, namespace is a property that is not available. If you set namespace="" for kind: Group, then the resultant clusterrolebinding for kind: Group doesn't have namespace as a property, as it should.
I'm using terraform v 0.12.28
Example:
resource "kubernetes_cluster_role_binding" "cluster-superusers" {
metadata {
name = "cluster-superusers"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-superusers"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
namespace = ""
api_group = "rbac.authorization.k8s.io"
}
}