Skip to main content
We are excited to be a part of AWS re:Invent 2024. Visit us at booth #1844 in Las Vegas.More info
Loading
Version: Operator 2.1.0

Re-grant RBAC privileges to namespaces

There is a known issue in OLM based installations (OperatorHub.io and on Red Hat OpenShift) where upgrading to version 2.1.0 from 2.0.0, causes revoking of RBAC permissions required to run Aerospike clusters in Kubernetes namespaces other than the aerospike namespace.

For each Kubernetes namespace, excluding aerospike, having Aerospike clusters, re-grant the RBAC privileges.

The procedure to re-grant privileges to a Kubernetes namespace ns1 is as follows. Replace ns1 with the name of your namespace.

Create a service account

kubectl -n ns1 create serviceaccount aerospike-operator-controller-manager

Ignore the error in case the service account already exists.

Update the operator's ClusterRoleBinding

Next, add this service account to the Operator's ClusterRoleBinding. To do this, run the following command:

kubectl edit clusterrolebindings.rbac.authorization.k8s.io $(kubectl get clusterrolebindings.rbac.authorization.k8s.io  | grep aerospike-kubernetes-operator | grep -v -- "-opera-" | grep -v -- "default-ns" | cut -f 1 -d " ")

This command launches an editor. Append the following lines to the subjects section:

  # A new entry for ns1.
  # Replace ns1 with your namespace
- kind: ServiceAccount
  name: aerospike-operator-controller-manager
  namespace: ns1

Save and ensure that the changes are applied.

Here is a full example of the Operator's ClusterRoleBinding targeting the ns1 namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2022-06-16T10:48:36Z"
  labels:
    olm.owner: aerospike-kubernetes-operator.v2.1.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: test
    operators.coreos.com/aerospike-kubernetes-operator.test: ""
  name: aerospike-kubernetes-operator.v2.1.0-74b946466d
  resourceVersion: "51841234"
  uid: be546dd5-b21e-4cc3-8a07-e2fe5fe5274c
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aerospike-kubernetes-operator.v2.1.0-74b946466d
subjects:
  - kind: ServiceAccount
    name: aerospike-operator-controller-manager
    namespace: operators

  # New entry
  - kind: ServiceAccount
    name: aerospike-operator-controller-manager
    namespace: ns1
Last updated on