clickhouse-operator icon indicating copy to clipboard operation
clickhouse-operator copied to clipboard
verified publisher icon Altinity

[feature request] Ability to deploy an operator with permissions only at the namespace level

Open tropnikovvl opened this issue 1 year ago • 13 comments

In continuation of this topic https://github.com/Altinity/clickhouse-operator/issues/1422.

It would be great to be able to deploy a CH operator using Helm without cluster-level permissions, but only in a specific namespace.

tropnikovvl avatar May 22 '24 20:05 tropnikovvl

@tropnikovvl, it is possible to use RoleBinding with limited namespaces instead of ClusterRoleBinding. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example

alex-zaitsev avatar Nov 04 '24 14:11 alex-zaitsev

It would be nice to have a configurable option that will create Role and RoleBonding for the namespace instead of ClusterRole and ClusterBinding

liyaka avatar Mar 19 '25 14:03 liyaka

@liyaka try

curl -sL https://github.com/Altinity/clickhouse-operator/raw/refs/heads/master/deploy/operator/clickhouse-operator-install-ansible.yaml | sed -i 's/{{ namespace }}/your-namespace' | kubectl apply -f -

Slach avatar Mar 19 '25 16:03 Slach

Is there in option to configure it in values file the helm chart? I am not looking for a hack..

liyaka avatar Mar 19 '25 17:03 liyaka

And I can not use ClusterRole..

liyaka avatar Mar 19 '25 17:03 liyaka

no option for helm chart

Slach avatar Mar 19 '25 17:03 Slach

@Slach / @alex-zaitsev I can contribute to this if the requirement seems sound.

dashashutosh24 avatar Apr 28 '25 14:04 dashashutosh24

Raised the PR https://github.com/Altinity/clickhouse-operator/pull/1698 to address this issue

dashashutosh24 avatar Apr 30 '25 17:04 dashashutosh24

Hi @Slach , I encountered a problem that if the operator specifies several namespaces in the watch section and gives Role access rights to these namespaces, then he spams errors and does nothing.

  serviceAccount:
    name: altinity-clickhouse-operator
  rbac:
    create: false
  configs:
    files:
      config.yaml:
        watch:
          namespaces: ["test1", "test2"]

The same for test2

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: altinity-clickhouse-operator-test1
  namespace: test1
rules:
    ...

The same for test2

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: altinity-clickhouse-operator-test1
  namespace: test1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: altinity-clickhouse-operator-test1
subjects:
- kind: ServiceAccount
  name: altinity-clickhouse-operator
  namespace: ch-operator

The same for test2

---
apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
  name: test-001
  namespace: test1
spec:
  configuration:
    clusters:
      - name: single

altinity-clickhouse-operator W0513 11:33:17.083184 1 reflector.go:533] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "services" in API group "" at the cluster scope
altinity-clickhouse-operator E0513 11:33:17.083309 1 reflector.go:148] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "services" in API group "" at the cluster scope
altinity-clickhouse-operator W0513 11:33:21.992758 1 reflector.go:533] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "endpoints" in API group "" at the cluster scope
altinity-clickhouse-operator E0513 11:33:21.992885 1 reflector.go:148] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Endpoints: failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "endpoints" in API group "" at the cluster scope
altinity-clickhouse-operator W0513 11:33:24.221403 1 reflector.go:533] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "pods" in API group "" at the cluster scope
altinity-clickhouse-operator E0513 11:33:24.221559 1 reflector.go:148] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "pods" in API group "" at the cluster scope
altinity-clickhouse-operator W0513 11:33:25.141104 1 reflector.go:533] k8s.io/client-go/informers/factory.go:150: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "configmaps" in API group "" at the cluster scope
altinity-clickhouse-operator E0513 11:33:25.141423 1 reflector.go:148] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "configmaps" in API group "" at the cluster scope
altinity-clickhouse-operator W0513 11:33:33.435502 1 reflector.go:533] pkg/client/informers/externalversions/factory.go:132: failed to list *v1.ClickHouseOperatorConfiguration: clickhouseoperatorconfigurations.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "clickhouseoper atorconfigurations" in API group "clickhouse.altinity.com" at the cluster scope
altinity-clickhouse-operator E0513 11:33:33.435730 1 reflector.go:148] pkg/client/informers/externalversions/factory.go:132: Failed to watch *v1.ClickHouseOperatorConfiguration: failed to list *v1.ClickHouseOperatorConfiguration: clickhouseoperatorconfigurations.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clic khouse-operator" cannot list resource "clickhouseoperatorconfigurations" in API group "clickhouse.altinity.com" at the cluster scope
altinity-clickhouse-operator W0513 11:33:36.752400 1 reflector.go:533] pkg/client/informers/externalversions/factory.go:132: failed to list *v1.ClickHouseInstallation: clickhouseinstallations.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "clickhouseinstallations" in API group "clickhouse.altinity.com" at the cluster scope
altinity-clickhouse-operator E0513 11:33:36.752508 1 reflector.go:148] pkg/client/informers/externalversions/factory.go:132: Failed to watch *v1.ClickHouseInstallation: failed to list *v1.ClickHouseInstallation: clickhouseinstallations.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot lis t resource "clickhouseinstallations" in API group "clickhouse.altinity.com" at the cluster scope
altinity-clickhouse-operator W0513 11:33:49.222023 1 reflector.go:533] k8s.io/client-go/informers/factory.go:150: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "statefulsets" in API group "apps" at the cluster scope
altinity-clickhouse-operator E0513 11:33:49.222232 1 reflector.go:148] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "statefulsets" in API group "apps" at the cluster sc ope
altinity-clickhouse-operator W0513 11:33:49.604302 1 reflector.go:533] pkg/client/informers/externalversions/factory.go:132: failed to list *v1.ClickHouseInstallationTemplate: clickhouseinstallationtemplates.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clickhouse-operator" cannot list resource "clickhouseinstal lationtemplates" in API group "clickhouse.altinity.com" at the cluster scope
altinity-clickhouse-operator E0513 11:33:49.604449 1 reflector.go:148] pkg/client/informers/externalversions/factory.go:132: Failed to watch *v1.ClickHouseInstallationTemplate: failed to list *v1.ClickHouseInstallationTemplate: clickhouseinstallationtemplates.clickhouse.altinity.com is forbidden: User "system:serviceaccount:ch-operator:altinity-clickho use-operator" cannot list resource "clickhouseinstallationtemplates" in API group "clickhouse.altinity.com" at the cluster scope

tropnikovvl avatar May 13 '25 11:05 tropnikovvl

@tropnikovvl which clickhouse-operator version do you use? how did you install it?

Slach avatar May 13 '25 11:05 Slach

@Slach 0.23.7,

Helm installation. I added roles/rolebindings separately manually for testing.

  serviceAccount:
    name: altinity-clickhouse-operator
  rbac:
    create: false
  configs:
    files:
      config.yaml:
        watch:
          namespaces: ["test1", "test2"]

And from Github. I added watches/roles/rolebindings separately manually for testing.

curl -sL https://raw.githubusercontent.com/Altinity/clickhouse-operator/0.23.7/deploy/operator/clickhouse-operator-install-ansible.yaml \
  | sed -e 's/{{ namespace }}/ch-operator/g' -e 's/{{ password }}/""/g' \
  | kubectl apply -f -

tropnikovvl avatar May 13 '25 11:05 tropnikovvl

@tropnikovvl please upgrade to 0.24.5

Slach avatar May 13 '25 14:05 Slach

@Slach Is there any way to solve the problem for version 0.23.7 ​​without updating?

tropnikovvl avatar May 13 '25 14:05 tropnikovvl