GCP Marketplace deployment using mpdev

10/26/2021

I am trying to deploy the k8s app to the marketplace using mpdev as instructed here.

https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md

I have added schema.yaml and application yaml file. I created a helm deploy image and pushed it to the repo and when I try to deploy using

mpdev install \
  --deployer=$REGISTRY/$APP_NAME/deployer \
  --parameters='{"name": "test-deployment", "namespace": "test-ns"}' 

I am facing permission-related errors.

Name: "test-deployment-consul-sync-catalog", Namespace: "" Object: &{map["apiVersion":"rbac.authorization.k8s.io/v1" "kind":"ClusterRole" "metadata":map["annotations":map"kubectl.kubernetes.io/last-applied-configuration":"" "labels":map"app":"consul" "app.kubernetes.io/name":"test-deployment" "chart":"consul-helm" "heritage":"Helm" "release":"test-deployment" "name":"test-deployment-consul-sync-catalog"] "rules":[map["apiGroups":"" "resources":"services" "endpoints" "verbs":"get" "list" "watch" "update" "patch" "delete" "create"] map["apiGroups":"" "resources":"nodes" "verbs":"get"]]]} from server for: "/data/resources.yaml": clusterroles.rbac.authorization.k8s.io "test-deployment-consul-sync-catalog" is forbidden: User "system:serviceaccount:test-ns:test-deployment-deployer-sa" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope Error from server (Forbidden): error when retrieving current configuration of: Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind: "rbac.authorization.k8s.io/v1, Kind=ClusterRole"

Role :

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Release.Name }}-modify-pods
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ .Release.Name }}-modify-pods-to-sa
  namespace: {{ .Release.Namespace }}
subjects:
  - kind: ServiceAccount
    name: {{ .Release.Name }}-controller
    namespace: {{ .Release.Namespace }}
  - kind: ServiceAccount
    name: {{ .Release.Name }}-deployer-sa
    namespace: {{ .Release.Namespace }}
  - kind: ServiceAccount
    name: {{ .Release.Name }}-app
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: {{ .Release.Name }}-modify-pods
  apiGroup: rbac.authorization.k8s.io

Service Accounts :

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}-controller
  namespace: {{ .Release.Namespace }}

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}-app
  namespace: {{ .Release.Namespace }}
-- RKT
google-apps-marketplace
google-kubernetes-engine
k8s-rolebinding
kubernetes
rbac

0 Answers