Can't have both global and non-global service account rules
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Fix Released
|
High
|
Yang Kelvin Liu | ||
Bug Description
In the k8s spec, service accounts are defined like:
kubernetesResou
serviceAccounts:
- name: nginx-ingress
automount
global: true
rules: []
There are cases where you need the equivalent of a Role and a ClusterRole attached to a single ServiceAccount (my use case here is porting the nginx-ingress helm chart).
To illustrate the issue, here is a potential fix to the spec:
kubernetesResou
serviceAccoun
- name: nginx-ingress-
global: true
rules: []
- name: nginx-ingress-rules
global: false
rules: []
serviceAccounts:
- name: nginx-ingress
automount
rules:
- nginx-ingress-
- nginx-ingress-rules
Which would create a ClusterRole, ClusterRoleBinding, Role, RoleBinding, and the ServiceAccount.
A variation on this would be to have something like kubernetesResou
| tags: | added: k8s |
| Changed in juju: | |
| milestone: | none → 2.8-beta1 |
| status: | New → Triaged |
| importance: | Undecided → High |
| Yang Kelvin Liu (kelvin.liu) wrote | #1 |
| Changed in juju: | |
| status: | Triaged → In Progress |
| assignee: | nobody → Yang Kelvin Liu (kelvin.liu) |
| Changed in juju: | |
| status: | In Progress → Fix Committed |
| Changed in juju: | |
| status: | Fix Committed → Fix Released |
https:/