Permission denied when using namespaced Role and Rolebinding #304
Description
I'm trying to setup namespaced specific Kubernetes auth + secrets, but I have noticed that creating the role with the same permission as the two cluster roles + rolebindings as the vso controller does not work if the role is a namespaced Role. It does work when I create a cluster role and bind it to the namespace + service account.
We're using the Kubernetes Auth backend in Vault.
EKS Cluster version: 1.30.0
VSO app version: 0.9.1
Here's my definition:
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: test
spec:
destination:
create: true
overwrite: true
name: test
mount: secret
path: kejiang-vso-test
type: kv-v1
refreshAfter: 5s
rolloutRestartTargets:
- name: kejiang-vso-test
kind: Deployment
vaultAuthRef: kejiang-vso-test-dev-vault-auth
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: kejiang-vso-test-dev-vault-auth
spec:
kubernetes:
role: {VaultRoleFork8sCluster}
serviceAccount: kejiang-vso-test
mount: kubernetes/{cluster}
method: kubernetes
vaultConnectionRef: vault-secrets-operator/default
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: rbac
name: kejiang-vso-test-dev-vso-role
rules:
- apiGroups:
- ""
resources:
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- list
- patch
- watch
- apiGroups:
- argoproj.io
resources:
- rollouts
verbs:
- get
- list
- patch
- watch
- apiGroups:
- secrets.hashicorp.com
resources:
- hcpauths
- hcpvaultsecretsapps
- secrettransformations
- vaultauthglobals
- vaultauths
- vaultconnections
- vaultdynamicsecrets
- vaultpkisecrets
- vaultstaticsecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets.hashicorp.com
resources:
- hcpauths/finalizers
- hcpvaultsecretsapps/finalizers
- secrettransformations/finalizers
- vaultauthglobals/finalizers
- vaultauths/finalizers
- vaultconnections/finalizers
- vaultdynamicsecrets/finalizers
- vaultpkisecrets/finalizers
- vaultstaticsecrets/finalizers
verbs:
- update
- apiGroups:
- secrets.hashicorp.com
resources:
- hcpauths/status
- hcpvaultsecretsapps/status
- secrettransformations/status
- vaultauthglobals/status
- vaultauths/status
- vaultconnections/status
- vaultdynamicsecrets/status
- vaultpkisecrets/status
- vaultstaticsecrets/status
verbs:
- get
- patch
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
kind: List
metadata:
resourceVersion: ""
---
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kejiang-vso-test-dev-vso-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kejiang-vso-test-dev-vso-role
subjects:
- kind: ServiceAccount
name: kejiang-vso-test
namespace: kejiang-vso-test-dev
Does VSO require Clusterrole + Rolebinding for the service account to authenticate to Vault?
The idea is that we want to have each namespace be only able to auth into their Vault paths rather than a cluster role, as the application service accounts update and change regularly.
I'm deploying this using Helm into ArgoCD