Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClusterRole mismatching between calico v3.25.2 and v3.26.x or above #8825

Closed
hadi2f244 opened this issue May 15, 2024 · 2 comments
Closed

ClusterRole mismatching between calico v3.25.2 and v3.26.x or above #8825

hadi2f244 opened this issue May 15, 2024 · 2 comments
Labels
kind/support

Comments

@hadi2f244
Copy link

Comparing Calico v3.26.0 manifest with v3.25.2 shows this different

# Source: calico/templates/calico-node-rbac.yaml
# Include a clusterrole for the calico-node DaemonSet,
# and bind it to the calico-node serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico-node
rules:
  # Used for creating service account tokens to be used by the CNI plugin
  - apiGroups: [""]
    resources:
      - serviceaccounts/token
    resourceNames:
      - calico-cni-plugin  <--> calico-node
    verbs:
      - create

Possible Solution

Merging this part of manifests:

# Source: calico/templates/calico-node-rbac.yaml
# Include a clusterrole for the calico-node DaemonSet,
# and bind it to the calico-node serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico-node
rules:
  # Used for creating service account tokens to be used by the CNI plugin
  - apiGroups: [""]
    resources:
      - serviceaccounts/token
    resourceNames:
      - calico-cni-plugin
      - calico-node
    verbs:
      - create

Your Environment

  • Calico v3.25.2 and v3.26.0
This was referenced May 15, 2024
Open
Closed
@caseydavenport
Copy link
Member

This is intentional - Calico v3.26 and above does not allow calico/node to create tokens for itself. We removed that permission as part of a security improvement.

When installing Calico, you need to make sure that you are using the manifests / RBAC that are associated with the version you are trying to install.

@hadi2f244
Copy link
Author

hadi2f244 commented May 16, 2024
edited
Loading

Thanks a lot. This issue is related to Kubespray and should be fix. I will follow there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caseydavenport @hadi2f244