Skip to main content
Loading
Version: Operator 2.5.0

Re-grant RBAC privileges to namespaces

OLM-based installations (OperatorHub.io and RedHat OpenShift) have a known issue with upgrading from version 2.4.0 to 2.5.0. This upgrade scenario revokes the RBAC privileges required to run Aerospike clusters in Kubernetes namespaces other than the aerospike namespace.

Re-grant the RBAC privileges for each Kubernetes namespace (except aerospike) which contains Aerospike clusters.

The procedure to re-grant privileges to a Kubernetes namespace ns1 is as follows. Replace ns1 with the name of your namespace.

Create a service account

kubectl -n ns1 create serviceaccount aerospike-operator-controller-manager

If the service account already exists, ignore the error you receive.

Update the operator's ClusterRoleBinding

Next, add this service account to the Operator's ClusterRoleBinding. 

kubectl edit clusterrolebindings.rbac.authorization.k8s.io $(kubectl get clusterrolebindings.rbac.authorization.k8s.io  | grep aerospike-kubernetes-operator | grep -v -- "-opera-" | grep -v -- "default-ns" | cut -f 1 -d " ")

This command launches an editor. Append the following lines to the subjects section:

  # A new entry for ns1.
  # Replace ns1 with your namespace
- kind: ServiceAccount
  name: aerospike-operator-controller-manager
  namespace: ns1

Save and ensure that the changes are applied.

Here is a full example of the Operator's ClusterRoleBinding targeting the ns1 namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2022-06-16T10:48:36Z"
  labels:
    olm.owner: aerospike-kubernetes-operator.v2.5.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: test
    operators.coreos.com/aerospike-kubernetes-operator.test: ""
  name: aerospike-kubernetes-operator.v2.5.0-74b946466d
  resourceVersion: "51841234"
  uid: be546dd5-b21e-4cc3-8a07-e2fe5fe5274c
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aerospike-kubernetes-operator.v2.5.0-74b946466d
subjects:
  - kind: ServiceAccount
    name: aerospike-operator-controller-manager
    namespace: operators

  # New entry
  - kind: ServiceAccount
    name: aerospike-operator-controller-manager
    namespace: ns1
Last updated on