Demo support for RBAC?


#1

I am attempting to run the Conduit demo on my tectonic cluster, but I find that it doesn’t work. Emojivoto is busted; the list of emojis does not show up. Conduit doesn’t show any deployments. If I deploy emojivoto without doing the conduit inject, then emojivoto works, but obviously Conduit still doesn’t show any deployments.

I’m guessing this has to do either with RBAC or with network policies. If I shell into the conduit-proxy container in the emoji-svc, I’m not able to actually connect to the controller:

curl hxxp://proxy-api.conduit.svc.cluster.local:8086/conduit.proxy.telemetry.Telemetry/Report
curl: (56) Recv failure: Connection reset by peer

Also I see a lot of this in the logs for the destination container in the controller:

E1211 23:45:01.296991 1 reflector.go:199] github.com/runconduit/conduit/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
E1211 23:45:02.302709 1 reflector.go:199] github.com/runconduit/conduit/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get Endpoints)

Prsumably this is going to need a service account with adequate permissions to get the job done?


#2

Hi Kris! Yes, those controller log messages sound like RBAC. We’re working on a better story around this, but FYI for Linkerd we wrote up a quick guide for how to run it with K8s RBAC which you might be able to crib from in the short term:

https://buoyant.io/2017/07/24/using-linkerd-kubernetes-rbac/

If you do manage to get it working, please let us know!


#3

I filed https://github.com/runconduit/conduit/issues/31 for getting this working.