OpenShift role to create a quota

10/20/2019

I am trying to create a quota on the namespace I create.

Here is my code:

func newQuotaForUser(cr *userv1.User) *corev1.ResourceQuota {
    labels := map[string]string{
        "env": "sandbox",
        "size": "personalsandbox",
    }
    hard := corev1.ResourceList{
        "cpu": resource.MustParse("2"),
        "memory": resource.MustParse("12Gi"),
        "requests.storage": resource.MustParse("10Gi"),
    }
    return &corev1.ResourceQuota{
        ObjectMeta: metav1.ObjectMeta{
            Name: "personalsandbox",
            Namespace: cr.Name + "-sbx",
            Labels: labels,
        },
        Spec: corev1.ResourceQuotaSpec{
            Hard: hard,
        },
    }
}

When I run this locally and login to minishift using the admin account, I see the quota is being created. However, I am trying to create a service account with the correct role and role binding to create the quota.

Here is my role.yaml that I thought would give the service account permissions to create a quota:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: onboarding-manager
rules:
- apiGroups:
  - ""
  - user.openshift.io
  attributeRestrictions: null
  resources:
  - groups
  - identities
  - useridentitymappings
  - users
  - users/finalizers
  - quota
  - resourcequotas
  verbs:
  - get
  - list
  - watch
  - update
  - create
- apiGroups:
  - ""
  resources:
  - namespaces
  - quota
  - resourcequotas
  verbs:
  - get
  - list
  - create
  - update
  - watch
  - delete
- apiGroups:
  - authorization.openshift.io/v1
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - quota
  - resourcequotas
  verbs:
  - create
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: onboarding-manager
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - quota
  - resourcequotas
  verbs:
  - "*"
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  - quota
  - resourcequotas
  verbs:
  - "*"
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - "get"
  - "create"
- apiGroups:
  - apps
  resources:
  - deployments/finalizers
  resourceNames:
  - onboarding-manager
  verbs:
  - "update"

This is what I see in the logs:

Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"delete\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"deletecollection\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"patch\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"update\"]} PolicyRule{APIGroups:[\"build.openshift.io\"], Resources:[\"buildlogs\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourcequotausages\"], Verbs:[\"watch\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"resourceaccessreviews\"], Verbs:[\"create\"]} PolicyRule{APIGroups:[\"authorization.openshift.io\"], Resources:[\"subjectaccessreviews\"], Verbs:[\"create\"]}] user=&{system:serviceaccount:onboarding-manager:onboarding-manager a602b37b-f371-11e9-99cd-fe91ac5e87c0 [system:serviceaccounts system:serviceaccounts:onboarding-manager system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:[\"\" \"user.openshift.io\"], Resources:[\"users\"], ResourceNames:[\"~\"], Verbs:[\"get\"]} PolicyRule{APIGroups:[\"\" \"project.openshift.io\"], Resources:[\"projectrequests\"], Verbs:[\"list\"]} PolicyRule{APIGroups:[\"\" \"authorization.openshift.io\"], Resources:[\"clusterroles\"], Verbs:[\"get\" \"list\"]} PolicyRule{APIGroups:[\"rbac.authorization.k8s.io\"]
-- Chris Bolton
kubernetes
openshift
operator-sdk
operators
rbac

0 Answers