Skip to content

RBAC issues in Fleet's GitRepos after upgrade

This document (000021869) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.9.9+

Rancher 2.10.5+

Up to  Rancher 2.11.1.

Situation

After upgrading to Rancher 2.9.9+ or  2.10.5+, there are insufficient permissions on the Role for the ServiceAccount in charge of updating each GitRepo.
You might see errors like the following one:

Job Failed. failed: 1/1time="YYYY-MM-DDThh:mm:ssZ" level=fatal msg="secrets \"sample-git-repo-sa-secret\" is forbidden: User \"system:serviceaccount:fleet-default:git-repo-sample-name\" cannot delete resource \"secrets\" in API group \"\" in the namespace \"fleet-default\""

This issue affects anyone with GitRepos that are upgrading to Rancher version v2.9.9+ or Rancher version v2.10.5+.
Rancher v2.11.1+ is not affected since the newer Fleet versions automatically resolves the Role's permissions.

Resolution

The fix is to manually add the permissions missing to the Role. These steps are to be run on the 'local' cluster (Rancher):

  • Create a backup for the Role of an affected GitRepo. It will be named 'git-REPONAME' in the ' fleet-default' namespace (replace "REPONAME" by your GitRepo name)

  • For example for a repo named 'app-test': ' kubectl get role -n fleet-default git-app-test -o yaml > role-git-app-test-backup.yaml'

  • Edit the role for the affected repo.
  • For example, for a repo named 'app-test': ' kubectl edit role -n fleet-default git-app-test'
  • Add the following section at the bottom of the role, under the rules section:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - delete
  • Save the changes
  • Run a "Force Update" on the GitRepo in the Continuous Delivery section in the Rancher UI (three-dots menu next to the GitRepo)

Cause

There are insufficient permissions on the Role for the ServiceAccount in charge of updating each GitRepo.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.