Commit ec55125
fix(rbac): grant compute-manager hub access to secrets and configmaps for referenced-data
The Karmada hub ClusterRole bound to
`system:serviceaccount:compute-system:compute-manager` granted access to
namespaces, compute.datumapis.com, policy.karmada.io, cluster.karmada.io,
work.karmada.io and config.karmada.io, but not to core Secrets or ConfigMaps.
The referenced-data resolver (internal/controller/referenceddata_controller.go)
runs on the management plane and materializes "companion" copies of the
ConfigMaps/Secrets a Workload references into the project's `ns-<project-uid>`
namespace on the hub (labeled `compute.datumapis.com/referenced-data=true`),
which a PropagationPolicy then propagates to the cells. The companion writer
issues Get/Create/Update/Delete against core Secrets and ConfigMaps on the hub.
Without this rule the resolver fails with, e.g.:
referenceddata: get companion Secret "...": secrets "..." is forbidden:
User "system:serviceaccount:compute-system:compute-manager" cannot get
resource "secrets" in API group "" in the namespace "ns-<project-uid>"
The companion is therefore never created, propagation silently never happens,
and instances surface MandatorySecretNotFound.
Add a single rule granting the core API group ("") verbs
get/list/watch/create/update/patch/delete on secrets and configmaps only.
Scope is limited to these two resources to match exactly what the resolver
reads (Get) and the lifecycle it owns (Create/Update/Delete; list/watch back
the informer cache).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 034ba21 commit ec55125
1 file changed
Lines changed: 7 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
9 | 16 | | |
10 | 17 | | |
11 | 18 | | |
| |||
0 commit comments