Unable to add secretproviderclasses for propagation through HNC
99 views
Skip to first unread message
Geo P.C.
Dec 24, 2020, 6:16:36 AM12/24/20
to kubernetes-wg-multitenancy, Adrian Ludwin, Yiqi Gao
Hi Team
We are using hnc and using HierarchyConfiguration to define the hierarchy level between different namespaces.
We defined secretproviderclasses and tried to propagate by HNC.
root@geo:~# kubectl get secretproviderclasses --all-namespaces
NAMESPACE NAME AGE
sre vault-database 50m
When we try to execute the following command we are getting an error.
root@geo:~# kubectl hns config set-resource secretproviderclasses --mode Propagate
Could not update the HNC Configuration: admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: Cannot find the secretproviderclasses in the apiserver with error: Resource "secretproviderclasses" not found
We checked secretproviderclasses is listed under resources.
root@geo:~# kubectl api-resources | grep secrets
secrets true Secret
secretproviderclasses secrets-store.csi.x-k8s.io true SecretProviderClass
secretproviderclasspodstatuses secrets-store.csi.x-k8s.io true SecretProviderClassPodStatus
The same we tried for secrets and is working fine.
root@geo:~# kubectl hns config describe
Synchronized resources:
* Propagating: secrets (/v1)
* Propagating: rolebindings (rbac.authorization.k8s.io/v1)
* Propagating: roles (rbac.authorization.k8s.io/v1)
Conditions:
We are using hnc and using HierarchyConfiguration to define the hierarchy level between different namespaces.
We defined secretproviderclasses and tried to propagate by HNC.
root@geo:~# kubectl get secretproviderclasses --all-namespaces
NAMESPACE NAME AGE
sre vault-database 50m
When we try to execute the following command we are getting an error.
root@geo:~# kubectl hns config set-resource secretproviderclasses --mode Propagate
Could not update the HNC Configuration: admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: Cannot find the secretproviderclasses in the apiserver with error: Resource "secretproviderclasses" not found
We checked secretproviderclasses is listed under resources.
root@geo:~# kubectl api-resources | grep secrets
secrets true Secret
secretproviderclasses secrets-store.csi.x-k8s.io true SecretProviderClass
secretproviderclasspodstatuses secrets-store.csi.x-k8s.io true SecretProviderClassPodStatus
The same we tried for secrets and is working fine.
root@geo:~# kubectl hns config describe
Synchronized resources:
* Propagating: secrets (/v1)
* Propagating: rolebindings (rbac.authorization.k8s.io/v1)
* Propagating: roles (rbac.authorization.k8s.io/v1)
Conditions:
Can you please let me know why it's not working for secretproviderclasses and anything further need to fix this?
Thanks
Geo PC
Adrian Ludwin
Dec 24, 2020, 1:53:26 PM12/24/20
to Geo P.C., kubernetes-wg-multitenancy, Yiqi Gao
Thanks for the report! The plugin requires the `--group` flag for any resource that's not part of the core API. Adding `--group secrets-store.csi.x-k8s.io` should fix the problem. But now that I think about it, we should probably have a way to figure that out if it's omitted.
Can you please let me know if this works? Thanks!
Geo P.C.
Dec 28, 2020, 12:06:52 AM12/28/20
to Adrian Ludwin, kubernetes-wg-multitenancy, Yiqi Gao
Hi Adrian.. Was out for vacation.
Checked this option and is working fine.
root@geo:~# kubectl hns config set-resource secretproviderclasses --mode Propagate --group secrets-store.csi.x-k8s.io
root@geo:~# kubectl hns config describe
Synchronized resources:
* Propagating: secrets (/v1)
* Propagating: rolebindings (rbac.authorization.k8s.io/v1)
* Propagating: roles (rbac.authorization.k8s.io/v1)
* Propagating: secretproviderclasses (secrets-store.csi.x-k8s.io/v1alpha1)
Thanks a lot. Happy New Year!!!
Adrian Ludwin
Jan 5, 2021, 2:47:06 PM1/5/21
to kubernetes-wg-multitenancy
Great to hear. I've filed https://github.com/kubernetes-sigs/multi-tenancy/issues/1336 to consider improving this in the future.
Happy new year!
Reply all
Reply to author
Forward
0 new messages