Hi,
I've been playing around with kvisor's options a bit, especially with leaderElectionEnabled
which seems to have a problem.
RBAC rules do not seem to be defined correctly in the role, especially the one concerning leases.
The create
verb is restricted by resourceNames
while this is not allowed, it prevents the creation of the lease.
Note: You cannot restrict create or deletecollection requests by their resource name. For create, this limitation is because the name of the new object may not be known at authorization time.
With the current role perms, the following error can be seen when starting the service with the leaderElectionEnabled
option enabled.
time="2023-08-06T18:21:06Z" level=error msg="error initially creating leader election record: leases.coordination.k8s.io is forbidden: User \"system:serviceaccount:castai-agent:castai-kvisor\" cannot create resource \"leases\" in API group \"coordination.k8s.io\" in the namespace \"castai-agent\"\n" error="<nil>"
time="2023-08-06T18:21:08Z" level=debug msg="sending logs: sending logs: request error status_code=400 body={\"message\":\"Bad request\",\"fieldViolations\":[]}"
If I use less restrictive permissions on create
, the service can create the lease:
- verbs:
- get
- - create
- update
- list
- watch
- delete
apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
- kvisor
+ - verbs:
+ - create
+ apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
I'm kind of starting to use K8s, so maybe I'm wrong, please let me know the correct solution in this case to deploy kvisor in high availability.