Restricted Installation instructions incomplete/broken

[kfox1111]

Bug Report

What did you do?

Followed the instructions here:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html#k8s-install-helm-restricted

What did you expect to see?

They work

What did you see instead? Under which circumstances?

The operator chart couldn't be installed as a user with a rolebinding of admin in their namespace.

Two problems exist.

1. There isnt the ClusterRoles for elastic-operator-edit and elastic-operator-view by the process. I manually rendered them from the chart and loaded them in.

2. Even then, the admin user in the namespace didn't have enough permissions:

APIGroups:["agent.k8s.elastic.co"], Resources:["agents/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["agent.k8s.elastic.co"], Resources:["agents/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["apm.k8s.elastic.co"], Resources:["apmservers/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["apm.k8s.elastic.co"], Resources:["apmservers/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["authorization.k8s.io"], Resources:["subjectaccessreviews"], Verbs:["create"]}
{APIGroups:["autoscaling.k8s.elastic.co"], Resources:["elasticsearchautoscalers/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["autoscaling.k8s.elastic.co"], Resources:["elasticsearchautoscalers/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["beat.k8s.elastic.co"], Resources:["beats/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["beat.k8s.elastic.co"], Resources:["beats/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["elasticsearch.k8s.elastic.co"], Resources:["elasticsearches/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["elasticsearch.k8s.elastic.co"], Resources:["elasticsearches/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["enterprisesearch.k8s.elastic.co"], Resources:["enterprisesearches/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["enterprisesearch.k8s.elastic.co"], Resources:["enterprisesearches/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["kibana.k8s.elastic.co"], Resources:["kibanas/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["kibana.k8s.elastic.co"], Resources:["kibanas/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["logstash.k8s.elastic.co"], Resources:["logstashes/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["logstash.k8s.elastic.co"], Resources:["logstashes/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["maps.k8s.elastic.co"], Resources:["elasticmapsservers/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["maps.k8s.elastic.co"], Resources:["elasticmapsservers/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["stackconfigpolicy.k8s.elastic.co"], Resources:["stackconfigpolicies/finalizers"], Verbs:["get" "list" "watch" "create" "update" "patch"]}
{APIGroups:["stackconfigpolicy.k8s.elastic.co"], Resources:["stackconfigpolicies/status"], Verbs:["get" "list" "watch" "create" "update" "patch"]}

The SubjectAccessReview one is more sensitive then the rest. Is it really needed?

Environment

• ECK version:
  2.12.1

• Kubernetes information:

  • On premise 1.28
  • Kubernetes distribution: vanilla

[thbkrkr]

The operator chart couldn't be installed as a user with a rolebinding of admin in their namespace.

I'm not sure I understand. Could you share the exact steps to reproduce the issue?

There isnt the ClusterRoles for elastic-operator-edit and elastic-operator-view by the process. I manually rendered them from the chart and loaded them in.

There is no ClusterRoleBinding because createClusterScopedResources is set to false. Instead there are elastic-operator roles created in each namespace (and associated rolebindings to bind the role to the elastic-system/elastic-operator service account).

> k get role -A | grep elastic
elastic-system   elastic-operator                                  2024-05-14T12:45:21Z
namespace-a      elastic-operator                                  2024-05-14T12:45:20Z
namespace-b      elastic-operator                                  2024-05-14T12:45:20Z

[kfox1111]

Here's a bit of psudocode as each cluster is a little different. but should give you the general idea. if not, please let me know and I can try and make an even more concrete example.

kubeadm kubeconfig user --client-name=foo > foo.kubeconfig
kubectl create namespace foo
kubectl create rolebinding admin -n foo --clusterrole=admin --user foo

export KUBECONFIG=foo.kubeconfig

helm upgrade --install --version 2.12.1 -n foo eck-operator eck-operator \
  --set managedNamespaces=foo \
  --set installCRDs=false \
  --set createClusterScopedResources=false \
  --set webhook.enabled=false \
  --set config.validateStorageClass=false \
   --repo https://helm.elastic.co