Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vcluster requires List namespace privilege #2546

Open
antoinetran opened this issue Feb 26, 2025 · 2 comments
Open

vcluster requires List namespace privilege #2546

antoinetran opened this issue Feb 26, 2025 · 2 comments
Labels
kind/bug

Comments

@antoinetran
Copy link

antoinetran commented Feb 26, 2025
edited
Loading

What happened?

With version 0.20.0-beta.1, vcluster deployed without creating the namespace.
With version >= 0.20.0, vcluster adds a hardcoded --create-namespace, which requires oc to list namespace.

In environment where this privilege is not given, because only one namespace is allowed, this ends in error:

85 [debug] getting history for release my-vcluster
Release "my-vcluster" does not exist. Installing it now.
install.go:225: 2025-02-26 17:34:45.504054107 +0000 UTC m=+0.303771631 [debug] Original chart version: ""
install.go:242: 2025-02-26 17:34:45.504142182 +0000 UTC m=+0.303859705 [debug] CHART PATH: /tmp/vcluster-0.23.0.tgz-4163262726

client.go:142: 2025-02-26 17:34:46.887421897 +0000 UTC m=+1.687139405 [debug] creating 1 resource(s)
Error: 1 error occurred:
        * namespaces is forbidden: User "XX" cannot create resource "namespaces" in API group "" at the cluster scope

                                                                                                                                                                                                                                                        helm.go:86: 2025-02-26 17:34:46.932141242 +0000 UTC m=+1.731858762 [debug] 1 error occurred:
        * namespaces is forbidden: User "XX" cannot create resource "namespaces" in API group "" at the cluster scope

What did you expect to happen?

The --create-namespace is not set if vcluster does not set it.

How can we reproduce it (as minimally and precisely as possible)?

  1. deploy Kubernetes cluster (with KIND?)
  2. creates namespace
  3. creates a RBAC to restrict list namespace and a serviceAccounts
  4. deploy vcluster using that serviceAccounts

Anything else we need to know?

Environment is OKD.

Host cluster Kubernetes version

$ oc version
Client Version: v4.2.0-alpha.0-2103-g48dcf59
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Kubernetes Version: v1.28.4

vcluster version

0.20.0-beta.1 => OK (no --create-namespace)
0.20.0 and 0.23.0 => KO (--create-namespace)

VCluster Config

nothing relevant
@antoinetran
Copy link
Author

This is where --create-namespace is hard-coded: https://github.com/loft-sh/vcluster/blob/v0.23.0/cmd/vclusterctl/cmd/platform/add/cluster.go#L195

Workaround: probably do not use vcluster binary and use helm chart to deploy instead

@antoinetran
Copy link
Author

Workaround: create a helm script, to be put in PATH, that removes this hard-coded --create-namespace (dirty!!)

#!/bin/sh

helmOverride() {
  helmOriginalPath=/usr/sbin/helm
  argIndex=0
  while test "${argIndex}" -lt "$#" ; do
    if test "$1" = "--create-namespace" ; then
      # We wil shift and lose one argument, so no increment of argIndex needed.
    else
      # We put the argument at the end, doing at the end a permutation of all argument.
      set -- "$@" "$1"
      argIndex="$((argIndex + 1))"
    fi
    shift
  done
  "${helmOriginalPath}" "$@"
}

helmOverride "$@"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@antoinetran