Re-grant RBAC privileges to namespaces
There is a known issue with upgrading from version 2.5.0 to 3.0.0. This upgrade scenario revokes the RBAC privileges required to run Aerospike clusters.
Re-grant the RBAC privileges for each Kubernetes namespace which contains Aerospike clusters.
The procedure to re-grant privileges to a Kubernetes namespace ns1 is as follows. Replace ns1 with the name of your namespace.
Create a service account
kubectl -n ns1 create serviceaccount aerospike-operator-controller-manager
If the service account already exists, ignore the error you receive.
Create RoleBinding/ClusterRoleBinding for Aerospike cluster
Next, create a RoleBinding or ClusterRoleBinding as per requirement to attach this service account to ClusterRole aerospike-cluster.
This ClusterRole is created as part of Operator installation.
- For using Kubernetes native Pod only network to connect to Aerospike cluster create RoleBinding:
kubectl -n ns1 create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=ns1:aerospike-operator-controller-manager
- For connecting to Aerospike cluster from outside Kubernetes create ClusterRoleBinding:
kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=ns1:aerospike-operator-controller-manager
For attaching multiple service accounts of different namespaces in one go, add multiple --serviceaccount params in above command
Example: To attach service accounts of ns1 and ns2 namespace
kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=ns1:aerospike-operator-controller-manager --serviceaccount=ns2:aerospike-operator-controller-manager
If the required ClusterRoleBinding already exists in cluster, edit it to attach new service account:
kubectl edit clusterrolebinding aerospike-cluster
This command launches an editor. Append the following lines to the subjects section:
# A new entry for ns1.
# Replace ns1 with your namespace
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: ns1