Run help wrapper without admin level permission

[Formartha]

Hi,

We have a usecase where we can't provide admin (cluster) level access. is there any way to deploy the helm wrapper without it?
I'm referring to the serviceaccount.yaml modification to use a lower security level user.

[opskumu]

Yes, you can use a lower security level user with serviceaccount.yaml.

[Formartha]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "helm-wrapper.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:

• kind: ServiceAccount
  name: {{ include "helm-wrapper.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  {{- end }}

One more question, is there anyway to avoid using cluster role binding (e.g. cluster level operations)

[opskumu]

@Formartha you can use Role and RoleBinding https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-example , cluster-admin K8s build-in cluster role, also you can create a role grant permission.

[Formartha]

Thanks!
What are the list of permissions it needs?

[Formartha]

Ok, now I have another issue,
I need to understand why does the security context requires toYaml in order to load it. We are using a string in our deployment, what should be the value? can you give an example?

[opskumu]

security context requires toYaml

you mean helm-wrapper config need yaml? i don't really understand, can you give an example

[Formartha]

So I have used a hardcodded value in the values.yaml file to enable the security context.
Removed the cruelly brackets and tried to deploy the helm-wrapper in OCP. This in it's turn led to issue with starting up the container.

When Looking at the logs, there is an error related to /tmp with permission denied. What can be the cause of it?

[opskumu]

can you give the detailed error log output, or show the error log screenshots

[Formartha]

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sun Aug 06 08:10:06 UTC 2023

There was an unexpected error (type=Not Found, status=404).

---

This is the issue we are facing, probably it's related to rules of the namespace. Can you please help us with the rules it needs to have in order to run?

[GastonKanzepolsky]

Hi, I have same issue,

When I am deploying helm-wrapper I need to change serviceaccount.yaml manifest to use my own Role, because I cant use cluster role binding in Openshift cluster. (permission restricted)

But looks like the Role created is not working ok or doesn't have enough permissions and I see same error when trying to browse any api, for example helm-wrapper/api/namespaces/MYNAMESPACE/releases

The pod is up and running and I dont see issues in the logs, but UI not working.

Thanks

[opskumu]

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sun Aug 06 08:10:06 UTC 2023

There was an unexpected error (type=Not Found, status=404).

This is the issue we are facing, probably it's related to rules of the namespace. Can you please help us with the rules it needs to have in order to run?

it's look like Spring Boot Application error, can you access direct with helm-wrapper pod ip test?

[opskumu]

Hi, I have same issue,

When I am deploying helm-wrapper I need to change serviceaccount.yaml manifest to use my own Role, because I cant use cluster role binding in Openshift cluster. (permission restricted)

But looks like the Role created is not working ok or doesn't have enough permissions and I see same error when trying to browse any api, for example helm-wrapper/api/namespaces/MYNAMESPACE/releases

The pod is up and running and I dont see issues in the logs, but UI not working.

Thanks

I will check it again without admin permission