-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
calico-apiserver ServiceAccount is used by other services unexpectedly #8824
Comments
I don't quite understand - are you suggesting that other components are using Calico's service accounts? If so, what evidence do you have? Calico doesn't touch those components at all. I see you also linked to a number of other issues and it's not obvious to me how they are related to this at all.
This just sounds like the Calico API server has been installed incorrectly and hasn't been given the permissions that it needs in order to operate. Likely a problem with the way you have installed Calico. |
This is the exact strange things happen when I installed calico-apiserver newer than v3.26.x ! Some critical component like kubernetes controller-manager uses the calico-apiserver SA. I completely uninstalled calico and uses v3.26.0 and APIServer manifest and right after installing calico-apiserver I saw that some components such as argocd and kube-controller-manager uses calico-apiserver SA. I know that it is strange and confusing how it is possible that kube-controller-manager uses calico-apiserver SA, but it happens in different scenarios. Right after I downgraded to v3.25.2, it works normally. |
What evidence do you have that other components are using Calico's service accounts? I don't see any evidence of it in this issue so far. |
This is what happened for me : |
Those are both fixed issues. If you're encountering those issues, then it sounds like your RBAC is wrong. The linked issue has this clear statement in it:
|
ServiceAccounts in kubernetes like kube-controller-manager SA is replaced by
system:serviceaccount:calico-apiserver:calico-apiserver
if calico-apiserver is installed.Expected Behavior
Each service uses its own service account!
Current Behavior
Possible Solution
As we check this issue observed in the following Calico Versions:
But it works great on Calico v3.25.2.
Also If you uninstall calico api-server, everything works great.
Steps to Reproduce (for bugs)
Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: connection is unauthorized: bgpfilters.crd.projectcalico.org is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "bgpfilters" in API group "crd.projectcalico.org" at the cluster scope
Context
Related Issues:
Your Environment
The text was updated successfully, but these errors were encountered: