Can't have both global and non-global service account rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
Yang Kelvin Liu |
Bug Description
In the k8s spec, service accounts are defined like:
kubernetesResou
serviceAccounts:
- name: nginx-ingress
automount
global: true
rules: []
There are cases where you need the equivalent of a Role and a ClusterRole attached to a single ServiceAccount (my use case here is porting the nginx-ingress helm chart).
To illustrate the issue, here is a potential fix to the spec:
kubernetesResou
serviceAccoun
- name: nginx-ingress-
global: true
rules: []
- name: nginx-ingress-rules
global: false
rules: []
serviceAccounts:
- name: nginx-ingress
automount
rules:
- nginx-ingress-
- nginx-ingress-rules
Which would create a ClusterRole, ClusterRoleBinding, Role, RoleBinding, and the ServiceAccount.
A variation on this would be to have something like kubernetesResou
tags: | added: k8s |
Changed in juju: | |
milestone: | none → 2.8-beta1 |
status: | New → Triaged |
importance: | Undecided → High |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju: | |
status: | Fix Committed → Fix Released |
https:/ /github. com/juju/ juju/pull/ 11293 will land to 2.8 to add this feature for k8s spec v3.