Skip to main content
Loading
Version: Operator 2.1.0

Re-grant RBAC privileges to namespaces

There is a known issue in OLM based installations (OperatorHub.io and on Red Hat OpenShift) where upgrading to version 2.1.0 from 2.0.0, causes revoking of RBAC permissions required to run Aerospike clusters in Kubernetes namespaces other than the aerospike namespace.

For each Kubernetes namespace, excluding aerospike, having Aerospike clusters, re-grant the RBAC privileges.

The procedure to re-grant privileges to a Kubernetes namespace ns1 is as follows. Replace ns1 with the name of your namespace.

Create a service account

kubectl -n ns1 create serviceaccount aerospike-operator-controller-manager

Ignore the error in case the service account already exists.

Update the operator's ClusterRoleBinding

Next, add this service account to the Operator's ClusterRoleBinding. To do this, run the following command:

kubectl edit clusterrolebindings.rbac.authorization.k8s.io $(kubectl get clusterrolebindings.rbac.authorization.k8s.io  | grep aerospike-kubernetes-operator | grep -v -- "-opera-" | grep -v -- "default-ns" | cut -f 1 -d " ")

This command launches an editor. Append the following lines to the subjects section:

  # A new entry for ns1.
# Replace ns1 with your namespace
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: ns1

Save and ensure that the changes are applied.

Here is a full example of the Operator's ClusterRoleBinding targeting the ns1 namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2022-06-16T10:48:36Z"
labels:
olm.owner: aerospike-kubernetes-operator.v2.1.0
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: test
operators.coreos.com/aerospike-kubernetes-operator.test: ""
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
resourceVersion: "51841234"
uid: be546dd5-b21e-4cc3-8a07-e2fe5fe5274c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
subjects:
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: operators

# New entry
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: ns1