This repository has been archived by the owner on Oct 10, 2023. It is now read-only.
fix providerServiceAccountRBACRules to remove ResourceNames #4618
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The issue is that Antrea addon controller needs to create a ClusterRole to allow tkg controllers to read all NSXServiceAccount CRs, however, the Antrea addon controller wrongly adds the specific NSXServiceAccount name (instead of all) restriction to the permission. This only allows the tkg controllers to read a specific NSXServiceAccount instead all NSXServiceAccounts. So if the Cluster is created one by one, customer will not hit this bug. For each cluster, Antrea addon controller updates the ClusterRole with the current NSXServiceAccount name for the current Cluster. If the Clusters are created in batch, all controllers need to process Clusters in parallel, chances are Antrea addon controller specifies a specific NSXServiceAccount name for Cluster A, but tkg controllers are processing Cluster B, then tkg controllers will fail to read NSXServiceAccount. Signed-off-by: Bin Liu <biliu@vmware.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Which issue(s) this PR fixes
Fixes #
The issue is that Antrea addon controller needs to create a ClusterRole to allow tkg controllers
to read all NSXServiceAccount CRs, however, the Antrea addon controller wrongly adds the specific
NSXServiceAccount name (instead of all) restriction to the permission. This only allows the
tkg controllers to read a specific NSXServiceAccount instead all NSXServiceAccounts.
Describe testing done for PR
Release note
Additional information
Special notes for your reviewer