Form validation warning when setting up controller in different namespace

2 minute read

Issue

Setting up CloudBees CI with Controller in different namespace. Form validation for "namespace" field always displays this warning Unable to validate. Maybe the deployment lacks read privilege on the given namespace. when you type in a namespace.

This occurs for any namespace whether it exists or not.

Environment

Related Issue(s)

  • CPLT2-6962: CJOC controller-management clusterrole needs namespace get, list permission

Resolution

During form validation the CJOC service account is used to check for the existence of the namespace entered in the namespace field in the Managed Controller configuration page. This helps prevent trying to configure Controller in a non-existent namespace. However, the current clusterrole deployed for the CJOC service account does not include permission to list and get namespaces which causes the check to fail and the warning to be displayed.

Workaround

The current workaround is to add get and list permissions for namespaces to clusterrole cjoc-controller-management-cloudbees. This clusterrole is deployed as part for initial deployment of CBCI and is used to grant permissions to CJOC service account on storage classe resources.

  1. Confirm the existence of the clusterrole with kubectl get clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE command

  2. Edit clusterrole with kubectl edit clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE command.

  3. Add below rules to clusterrole

- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list

  1. Confirm permissions are added correctly. If properly done the kubectl get clusterrole cjoc-master-management-cloudbees -n $CLOUDBEES-NAMESPACE should look like below.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-name: cloudbees
    meta.helm.sh/release-namespace: cloudbees
  creationTimestamp: "2020-12-22T07:55:36Z"
  labels:
    app.kubernetes.io/instance: cloudbees
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: cloudbees-core
    helm.sh/chart: cloudbees-core-3.20.0_7393ca8fd6d0
  name: cjoc-master-management-cloudbees
  resourceVersion: "10616366"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cjoc-master-management-cloudbees
  uid: 134a85be-442b-11eb-a8c0-0233ecf47d44
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list