I am trying to deploy the k8s app to the marketplace using mpdev as instructed here.
I have added schema.yaml and application yaml file. I created a helm deploy image and pushed it to the repo and when I try to deploy using
mpdev install \
--deployer=$REGISTRY/$APP_NAME/deployer \
--parameters='{"name": "test-deployment", "namespace": "test-ns"}'
I am facing permission-related errors.
Name: "test-deployment-consul-sync-catalog", Namespace: "" Object: &{map["apiVersion":"rbac.authorization.k8s.io/v1" "kind":"ClusterRole" "metadata":map["annotations":map"kubectl.kubernetes.io/last-applied-configuration":"" "labels":map"app":"consul" "app.kubernetes.io/name":"test-deployment" "chart":"consul-helm" "heritage":"Helm" "release":"test-deployment" "name":"test-deployment-consul-sync-catalog"] "rules":[map["apiGroups":"" "resources":"services" "endpoints" "verbs":"get" "list" "watch" "update" "patch" "delete" "create"] map["apiGroups":"" "resources":"nodes" "verbs":"get"]]]} from server for: "/data/resources.yaml": clusterroles.rbac.authorization.k8s.io "test-deployment-consul-sync-catalog" is forbidden: User "system:serviceaccount:test-ns:test-deployment-deployer-sa" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope Error from server (Forbidden): error when retrieving current configuration of: Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind: "rbac.authorization.k8s.io/v1, Kind=ClusterRole"
Role :
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-modify-pods
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-modify-pods-to-sa
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: {{ .Release.Name }}-deployer-sa
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: {{ .Release.Name }}-app
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ .Release.Name }}-modify-pods
apiGroup: rbac.authorization.k8s.io
Service Accounts :
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-app
namespace: {{ .Release.Namespace }}