Comments (6)
It is hard to say without actually seeing the rolemanifest.
If you use RBAC on the cluster, did you set the kube.auth
setting in your values.yaml
file to rbac
to enable correct service accounts and role bindings?
Do you have the PodSecurityPolicy admission controller enabled on that cluster?
from fissile.
Okay, so RBAC is not enabled on the Cluster.
I'm not sure how to set authentication is there documentation on that?
from fissile.
Authentication defaults to none
, which is correct when you don't have RBAC enabled.
Is there a way you can share the rolemanifest and bosh release so we can take a look? Or create a simplified test case if this is private code?
from fissile.
Okay I've tried with the nats example and I'm getting the same issue
from fissile.
This is the same error when I curl my kube-api directly without and client x509 cert.
is it possible to include a client cert in the yaml to use to authorize configgin?
from fissile.
I'm not sure we ever tested fissile with user accounts requiring client certs, so I'm not sure how to configure it (and if it would work).
The configgin code assumes that all pods have a service account with sufficient access (look at templates/auth-role-configgin-role.yaml
inside the generated helm chart).
The configgin code to fetch the auth token from its service account is at https://github.com/SUSE/configgin/blob/8b4b33ebc34fd494c2b90bfb03aae1534e40761b/bin/configgin#L24-L35
BTW, it looks like RBAC is now the default, you would have to switch this to none
to disable it (in values.yaml
):
kube:
...
auth: "rbac"
But I expect it to continue to fail for you because you would still need to provide an authenticated token to the default service account somehow.
from fissile.
Related Issues (20)
- [question] do you have a plan to support the Cloud Foundry releases for this? HOT 1
- [WIP] Dockerfile for Fissile build
- fissile does not build HOT 1
- Walkthrough manifests are unusable HOT 3
- New compilation cache code creates broken archives
- Update dependencies once mholt/archiver#92 has landed HOT 1
- Pod runtime information is in a non-sensical spot HOT 2
- add pre-built binaries to github releases? HOT 1
- `fissile diff` only works with already unpacked release directories and not with URLs
- Race condition for active/passive pods when no leader is available HOT 4
- Example doc for build in configuration.md is wrong (create-release.sh not found) HOT 1
- Deployment fails on clusters with containerd when credentials are empty HOT 6
- Role manifest shared volume validation bug HOT 1
- Services generated by fissile make Istio malfunction HOT 2
- Move to Go Modules HOT 1
- Generated K8s resources will not be supported in K8s 1.16
- docker run example for nats-release fails: cannot access '/usr/local/bin/create-release.sh': No such file or directory HOT 7
- Cut releases with release notes? HOT 3
- Why not create docker images from rev releases?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fissile.