| 2019-06-04 07:59:53 |
yann degat |
description |
In the helm-toolkit
openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
&
openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_role.tpl
there's a situation where the rolebinding may reference a serviceaccount in the wrong namespace.
The service account is created in the "Release" namespace.
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L21
but the ref is on a computed value based on the `allNamespace` set:
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L65-L67 |
In the helm-toolkit
openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
&
openstack-helm-infra/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_role.tpl
there's a situation where the rolebinding may reference a serviceaccount in the wrong namespace.
The service account is created in the "Release" namespace.
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L21
but the ref is on a computed value based on the `allNamespace` set:
https://github.com/openstack/openstack-helm-infra/blob/master/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl#L65-L67
For instance: if you deploy the keystone chart in a "keystone" namespace,
then the glance chart in a "openstack" namespace, the stackanetes/kubernetes-entrypoint will be stuck on resolving its dependencies because rolebindings will have a SA reference in the openstack namespace, whereas the SA would have been created in the keystone namespace. |
|
