rancher/osbuilder
1
0
Fork 0
mirror of https://github.com/kairos-io/osbuilder.git synced 2025-08-31 23:10:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIP] Create rbac resources to allow the Job to copy to the server Pod

Browse Source 
Currently fails with:

```
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:hello-kairos" cannot list resource "pods" in API group "" at the cluster scope
```

because we try to list pods with `-A`. This means we are going to get a
similar error if we try to copy files to a Pod on another namespace
unless we grant permission at the cluster scope or just that
namespace. (Is that possible? Maybe if we create the Role in the same
namespace as the server.)

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis
2022-12-08 16:35:45 +02:00
parent 44a48d7890
commit 224291994f
10 changed files with 255 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
main.go
View File

@@ -53,11 +53,19 @@ func main() {
var enableLeaderElection bool
var probeAddr string
var serveImage, toolImage string
var copyToPodLabel, copyToNamespace, copyToPath, copierRole string
flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
flag.StringVar(&serveImage, "serve-image", "nginx", "Serve image.")
// It needs luet inside
flag.StringVar(&toolImage, "tool-image", "quay.io/kairos/osbuilder-tools:latest", "Tool image.")
// Information on where to copy the artifacts
flag.StringVar(&copyToPodLabel, "copy-to-pod-label", "", "The label of the Pod to which artifacts should be copied.")
flag.StringVar(&copyToNamespace, "copy-to-namespace", "", "The namespace of the copy-to-pod-label Pod.")
flag.StringVar(&copyToPath, "copy-to-path", "", "The path under which to copy artifacts in the copy-to-pod-label Pod.")
flag.StringVar(&copierRole, "copy-role", "", "The name or the Kubernetes Role that has the permissions to copy artifacts to the copy-to-pod-label Pod")
flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. "+
@@ -98,7 +106,13 @@ func main() {
Client: mgr.GetClient(),
ServingImage: serveImage,
ToolImage: toolImage,
Scheme: mgr.GetScheme(),
ArtifactPodInfo: controllers.ArtifactPodInfo{
Label: copyToPodLabel,
Namespace: copyToNamespace,
Path: copyToPath,
Role: copierRole,
},
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "OSArtifact")
os.Exit(1)