-
-
Couldn't load subscription status.
- Fork 2.6k
RBAC Issues with Selenium Grid Helm Chart and Keda Autoscaling: How to Resolve or Bypass RBAC Restrictions? #2389
-
Tried to deploy a selenium-grid Helm chart with autoscaling functionality using Keda, but encountered RBAC issues related to rbac.authorization.k8s.io, getting the following error: resource rbac.authorization.k8s.io:ClusterRole is not permitted in project. I observed errors in several roles, including ClusterRole, ClusterRoleBinding, Role, and RoleBinding. I was wondering if there is any way to enable autoscaling for selenium-grid without RBAC because if I disable it, the Keda pods are refusing to start.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 11 comments 9 replies
-
Set this config key to false.
autoscaling.patchObjectFinalizers.enabled
Beta Was this translation helpful? Give feedback.
All reactions
-
If possible, can you try a dry run with
helm template, output all YAML rendered (remove secret info if necessary), and provide that output so that I can understand it further?
Couldn't attach the file, hope it helps
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-operator
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-operator-minimal-cluster-role
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-operator-external-metrics-reader
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-operator-webhook
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-minimal
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-system-auth-delegator
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-hpa-controller-external-metrics
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-webhook
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: keda-operator-certs
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-certs
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
--
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator-auth-reader
helm.sh/chart: keda-2.15.1
app.kubernetes.io/component: operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.15.1
app.kubernetes.io/instance: release-name
Beta Was this translation helpful? Give feedback.
All reactions
-
Okay, I understand your situation. I can confirm that those resources come from the KEDA chart; they don't belong to the selenium-grid resource.
When setting autoscaling.enabled is true. The sub-chart KEDA is deployed together. That chart deployed few resources needed (CRDS, RBAC, so on.) on server side.
In this case, you can ask admin to deploy chart KEDA separately then setting autoscaling.enableWithExistingKEDA in selenium-grid chart
Beta Was this translation helpful? Give feedback.
All reactions
-
Hello, @VietND96, but this still means we have to be able to create ClusterRoles, right? Because, if I understand correctly, even if we deploy the KEDA chart separately and then set autoscaling.enableWithExistingKEDA, we still have to have permissions to create ClusterRoles for that KEDA chart.
Beta Was this translation helpful? Give feedback.
All reactions
-
I can answer that creating ClusterRoles was unnecessary when chart KEDA deployed.
You can try a dry-run helm template with --set autoscaling.enableWithExistingKEDA=true --set autoscaling.patchObjectFinalizers.enabled=false, only resource ScaledObject or ScaledJob created, which is not RBAC.
Beta Was this translation helpful? Give feedback.
All reactions
-
I can answer that creating
ClusterRoleswas unnecessary when chart KEDA deployed. You can try a dry-runhelm templatewith--set autoscaling.enableWithExistingKEDA=true --set autoscaling.patchObjectFinalizers.enabled=false, only resourceScaledObjectorScaledJobcreated, which is not RBAC.
When I do this I still need to install the CRDs for KEDA, which automatically creates ClusterRoles - checked it with helm template command and noticed the following lines when applying CRDs:
[clusterrole.rbac.authorization.k8s.io/keda-external-metrics-reader](http://clusterrole.rbac.authorization.k8s.io/keda-external-metrics-reader) serverside-applied
[clusterrole.rbac.authorization.k8s.io/keda-operator](http://clusterrole.rbac.authorization.k8s.io/keda-operator) serverside-applied
[clusterrolebinding.rbac.authorization.k8s.io/keda-hpa-controller-external-metrics](http://clusterrolebinding.rbac.authorization.k8s.io/keda-hpa-controller-external-metrics) serverside-applied
[clusterrolebinding.rbac.authorization.k8s.io/keda-operator](http://clusterrolebinding.rbac.authorization.k8s.io/keda-operator) serverside-applied
[clusterrolebinding.rbac.authorization.k8s.io/keda-system-auth-delegator](http://clusterrolebinding.rbac.authorization.k8s.io/keda-system-auth-delegator) serverside-applied.
Beta Was this translation helpful? Give feedback.
All reactions
-
Yes, ScaledObject or ScaledJob is KEDA's CRDS. And, KEDA needs RBAC to create those resources in the cluster. So, the precondition is KEDA installed to the cluster (via KEDA helm chart or its YAML manifest files). Then install chart selenium-grid with autoscaling.enableWithExistingKEDA=true
Beta Was this translation helpful? Give feedback.