Strimzi
Replies: 3 comments 2 replies
-
|
Strimzi needs to be able to create ClusterRoleBindings and you did not allowed it to do so. ClusterRoleBindings are needed for example for Rack awareness or for NodePort listeners as they need to be able to get the details of the node on which the Pod is running (and as Kubernetes nodes are cluster-wide resource, you need ClusterRoleBinding and ClusterRole to grant it). |
Beta Was this translation helpful? Give feedback.
-
|
PS: If you want an external listener without these RBAC rights, you could use load balancers or Ingress for example. The bigger issue is typically the rack awareness which is important for production-grade clusters. |
Beta Was this translation helpful? Give feedback.
-
|
Understood. So the following statement would be considered true mostly: |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that is basically correct. I would probably word it something like |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the prompt answer! |
Beta Was this translation helpful? Give feedback.
-
Managed to install strimzi operator inside a "privileged" namespace with the least privileges required by the installation. Everything works quite fine despite the external listener which throws the following error:
is forbidden: User "system:serviceaccount:myuser:strimzi-cluster-operator" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope.Detailed:
2024-11-20 16:18:23 WARN AbstractOperator:556 - Reconciliation #3(timer) Kafka(mynamespace/kafka-one-broker-cluster): Failed to reconcile io.vertx.core.impl.NoStackTraceThrowable: Failure executing: GET at: https://10.43.27.58:443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/strimzi-kafka-one-broker-cluster-kafka-init. Message: clusterrolebindings.rbac.authorization.k8s.io "strimzi-kafka-one-broker-cluster-kafka-init" is forbidden: User "system:serviceaccount:myuser:strimzi-cluster-operator" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=rbac.authorization.k8s.io, kind=clusterrolebindings, name=strimzi-kafka-one-broker-cluster-kafka-init, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=clusterrolebindings.rbac.authorization.k8s.io "strimzi-kafka-one-broker-cluster-kafka-init" is forbidden: User "system:serviceaccount:myuser:strimzi-cluster-operator" cannot get resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).Not sure why this permission would be needed? Is this a hard requirement for external listeners and why?
Beta Was this translation helpful? Give feedback.
All reactions