We have local Kubernetes clusters that are managed by Rancher and we use Terraform to have our configuration in code. However, I cannot seem to be able to grant my group devops permission to view events in the clusters.
These are the role and role binding:
resource "rancher2_role_template" "events-view" {
name = "Cluster Events View"
description = "Terraform role template to see cluster events"
rules {
api_groups = ["*"]
resources = ["events"]
verbs = ["get", "watch"]
}
}
resource "rancher2_cluster_role_template_binding" "events-view" {
name = "events-view"
cluster_id = rancher2_cluster.rancher_cluster.id
role_template_id = rancher2_role_template.events-view.id
group_principal_id = lookup(var.projects["devops"] , "ldap_cn")
depends_on = [
rancher2_role_template.events-view
]
}
This is the devops definition:
projects = {
devops = {
ldap_cn = "activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company",
name = "devops",
# ...more attributes
},
# ...more projects
}
When I run terraform apply I see that the role and the role binding are created:
rancher2_role_template.events-view: Creating...
rancher2_role_template.events-view: Creation complete after 0s [id=rt-h7xt4]
rancher2_cluster_role_template_binding.events-view: Creating...
rancher2_cluster_role_template_binding.events-view: Creation complete after 2s [id=c-6bdtb:events-view]
kubectl shows the cluster role and role binding (showing for the default namespace, but duplicated across all namespaces as well):
$ kubectl describe clusterrole rt-h7xt4
Name: rt-h7xt4
Labels: cattle.io/creator=norman
Annotations: authz.cluster.cattle.io/clusterrole-owner: rt-h7xt4
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events.* [] [] [get watch]
$ kubectl describe clusterrolebinding clusterrolebinding-hkc9b
Name: clusterrolebinding-hkc9b
Labels: authz.cluster.cattle.io/rtb-owner=6f990492-8f60-4950-bb8e-cfa4a9760c01
cattle.io/creator=norman
Annotations: <none>
Role:
Kind: ClusterRole
Name: rt-h7xt4
Subjects:
Kind Name Namespace
---- ---- ---------
Group activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company
My user is a member of the devops AD group, and in the terraform apply log I can see that the role and binding templates are created, yet when I log into Rancher and click on Launch kubectl I cannot see the events of any namespace:
> kubectl get events
Error from server (Forbidden): events is forbidden: User "u-w8rp43jtbn" cannot list resource "events" in API group "" in the namespace "default"
> kubectl get events -n devops
Error from server (Forbidden): events is forbidden: User "u-w8rp44jtbn" cannot list resource "events" in API group "" in the namespace "devops"
I've tried putting and empty string in api_groups and also the Kubernetes and Rancher API groups, but nothing seems to work.
The problem was that I made a cluster role template instead of a project role template.
In the rancher2_role_template resource I added context = "project" and changed the rancher2_cluster_role_template_binding to a rancher2_project_role_template_binding.