This repository was archived by the owner on Dec 12, 2020. It is now read-only.
This repository was archived by the owner on Dec 12, 2020. It is now read-only.
pods fail to start in an a fresh aks clister #8
Description
Steps to reproduce
- Provision an aks cluster
az aks create --name testregwrite -g testregwrite - Grab creds
az aks get-credentials -g testregwrite --name testregwrite - Create a service account for tiller:
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
- Install helm
helm init --service-account tiller - Install registry rewriter:
helm install -n registry-writer --namespace kube-system --set containerRegistryUrl=<url>--set caBundle=<caBundle> --set webhookImage=lawrencegripper/imagenamemutatingcontroller:30 \ --set imagePullSecretName=cluster-local-image-secret https://github.com/lawrencegripper/MutatingAdmissionsController/releases/download/v0.1.1/registry-rewriter-0.1.0.tgz
Actual results:
kubectl logs registry-writer-registry-rewriter-bqng5 -n kube-system
creating certs in tmpdir /tmp/tmp.Mw4KoGqRGu
Generating RSA private key, 2048 bit long modulus
...................................+++
................+++
e is 65537 (0x10001)
Error from server (Forbidden): error when creating "STDIN": certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kube-system:default" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
Notes:
I can work around this issue by granting kube-system:default cluster-admin but I’m guessing this isn’t good practice. E.g., kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
The software works fine if I helm install after the above.
Is the fix to update the deployment.yaml to allow a service-account to be specified? Then is there a particular clusterrole that we can use beside cluster-admin?