You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For this we added the following additional RBAC rules for the cleanup controller to the Helm chart values:
cleanupController:
rbac:
clusterRole:
extraResources:
- apiGroups:
- ''resources:
- secretsverbs:
- get
- list
- apiGroups:
- ''resources:
- secretsresourceNames:
- test-secretverbs:
- get
- list
- delete
The attempted creation of the new CleanupPolicy results in an error of the admission webhook:
admission webhook "kyverno-cleanup-controller.kyverno.svc" denied the request: cleanup controller has no permission to delete kind Secret
We were only able to create the CleanupPolicy after giving the cleanup controller permissions for delete on every Secret.
Note that we add get and list verbs on both rules though this might not be necessary.
We are also unsure whether there might be a discrepancy between the admission webhook validation and the actual requested permissions for the cleanup controller.
Steps to reproduce
Add RBAC rules to cleanup controller as described above
Try to apply CleanupPolicy as described above
Expected behavior
CleanupPolicy is successfully applied and is able to delete the given Secret specified by resource name.
I have searched other issues in this repository and mine is not recorded.
The text was updated successfully, but these errors were encountered:
steadyk
added
bug
Something isn't working
triage
Default label assigned to all new issues indicating label curation is needed to fully organize.
labels
May 7, 2024
MariamFahmy98
added
cleanup
Clean-up controller functionality in 1.9+.
and removed
triage
Default label assigned to all new issues indicating label curation is needed to fully organize.
labels
May 8, 2024
Kyverno Version
1.11.4
Kubernetes Version
1.28.x
Kubernetes Platform
KinD
Kyverno Rule Type
Cleanup
Description
We tried to add the following CleanupPolicy to delete a certain Secret periodically:
For this we added the following additional RBAC rules for the cleanup controller to the Helm chart values:
The attempted creation of the new CleanupPolicy results in an error of the admission webhook:
We were only able to create the CleanupPolicy after giving the cleanup controller permissions for
delete
on every Secret.Note that we add
get
andlist
verbs on both rules though this might not be necessary.We are also unsure whether there might be a discrepancy between the admission webhook validation and the actual requested permissions for the cleanup controller.
Steps to reproduce
Expected behavior
CleanupPolicy is successfully applied and is able to delete the given Secret specified by resource name.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
The text was updated successfully, but these errors were encountered: