openstack-helm-infra

Mixed up Namespaces for service accounts

Bug #1829358 reported by yann degat
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-helm-infra
New
Undecided
Unassigned

Bug Description

In the helm-toolkit

openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl

&

openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_role.tpl

there's a situation where the rolebinding may reference a serviceaccount in the wrong namespace.

The service account is created in the "Release" namespace.
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L21

but the ref is on a computed value based on the `allNamespace` set:
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L65-L67

For instance: if you deploy the keystone chart in a "keystone" namespace,
then the glance chart in a "openstack" namespace, the stackanetes/kubernetes-entrypoint will be stuck on resolving its dependencies because rolebindings will have a SA reference in the openstack namespace, whereas the SA would have been created in the keystone namespace.

See original description
yann degat (yann-degat-z)
information type: Private Security → Public
yann degat (yann-degat-z)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.