Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to create namespace for release: namespaces is forbidden #128

Open
braghettos opened this issue May 16, 2022 · 2 comments
Open

Failed to create namespace for release: namespaces is forbidden #128

braghettos opened this issue May 16, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@braghettos
Copy link

What happened?

I'm trying to use provider-helm to install argocd helm chart but I'm getting the following issue:

Failed to create namespace for release: namespaces is forbidden: User "system:serviceaccount:crossplane-system:provider-helm-b9e90b3c7ff8" cannot create resource "namespaces" in API group "" at the cluster scope

How can we reproduce it?

This is how I'm configuring my managed resource in my composition:

    - base:
        apiVersion: helm.crossplane.io/v1beta1
        kind: Release
        metadata:
          annotations:
            crossplane.io/external-name: argocd
        spec:
          forProvider:
            chart:
              name: argo-cd
              repository: https://argoproj.github.io/argo-helm
              version: 4.6.0
            namespace: krateo-system

What environment did it happen in?

  • Crossplane version: 1.7.1
  • Cloud provider or hardware configuration: GCP
  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5",
GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:51:05Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.11-gke.900", GitCommit:"20da4c21b3a6b1a56ff6ad5ecb7dee013aaf1b83", GitTreeState:"clean", BuildDate:"2022-03-30T09:37:00Z", GoVersion:"go1.16.15b7", Compiler:"gc", Platform:"linux/amd64"}
  • Kubernetes distribution (e.g. Tectonic, GKE, OpenShift): GKE
  • provider-helm version: 0.10.0
@braghettos braghettos added the bug Something isn't working label May 16, 2022
@portswigger-tim
Copy link

portswigger-tim commented Dec 6, 2022
edited
Loading

I know that this was a while ago...

You probably need to bind the provider service account to a ClusterRole with privileges or use a ControllerConfig to assign a ServiceAccount bound to an appropriate ClusterRole.

Here is what I've started with:

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-helm
spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-helm:v0.12.0
  controllerConfigRef:
    name: provider-helm
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: provider-helm
spec:
  serviceAccountName: provider-helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: provider-helm
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: provider-helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: provider-helm
  namespace: crossplane-system

@raphasle
Copy link

If you know the namespace exists, you can set skipCreateNamespace to true.

https://marketplace.upbound.io/providers/crossplane-contrib/provider-helm/v0.19.0/resources/helm.crossplane.io/Release/v1beta1#doc:spec-forProvider-skipCreateNamespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@braghettos @raphasle @portswigger-tim