While installing Camunda 8(chart camunda-platform-9.3.2) on K8s (VMWare Tanzu), I realise that the serviceAccount section of zeebeGateway is not taken into account. How did I get there?
I have some security policy on my cluster where I need to create Service Accounts with specific permissions so that the SA can start pods
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: camunda-role
namespace: camunda
rules:
# Permission to create pods
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["pks-privileged"]
verbs: ["use"]
So I have created two service accounts for “zeebe” and “zeebeGateway” with following RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: camunda-rolebinding
namespace: camunda
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: camunda-role
subjects:
- kind: ServiceAccount
name: zeebe
- kind: ServiceAccount
name: zeebegateway
I use the following yaml content to override chart values:
zeebe:
enabled: true
debug: true
serviceAccount:
enabled: false
name: "zeebe"
automountServiceAccountToken: false
zeebeGateway:
serviceAccount:
enabled: false
name: "zeebegateway"
automountServiceAccountToken: false
On the first try, the zeebe pods where up and running but for zeebeGateway following errors were poped up.
0s Warning FailedCreate replicaset/camunda-kc22-zeebe-gateway-645c88bc67 Error creating: pods "camunda-kc22-zeebe-gateway-645c88bc67-" is forbidden: PodSecurityPolicy: unable to admit pod: []
0s Warning FailedCreate replicaset/camunda-kc22-zeebe-gateway-645c88bc67 Error creating: pods "camunda-kc22-zeebe-gateway-645c88bc67-" is forbidden: PodSecurityPolicy: unable to admit pod: []
Following on my suspesion on the use of “default” service account insted of “zeebegateway” I added the same security policy to the “default” service account.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: camunda-role
namespace: camunda
rules:
# Permission to create pods
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["pks-privileged"]
verbs: ["use"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: camunda-rolebinding
namespace: camunda
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: camunda-role
subjects:
- kind: ServiceAccount
name: zeebe
- kind: ServiceAccount
name: zeebegateway
- kind: ServiceAccount
name: default
Redeployed the chart and now zeebe-gateway pods are running.
0s Normal SuccessfulCreate replicaset/camunda-kc22-zeebe-gateway-645c88bc67 Created pod: camunda-kc22-zeebe-gateway-645c88bc67-l4vlx
0s Normal SuccessfulCreate replicaset/camunda-kc22-zeebe-gateway-645c88bc67 Created pod: camunda-kc22-zeebe-gateway-645c88bc67-gq9rm
0s Normal Scheduled pod/camunda-kc22-zeebe-gateway-645c88bc67-l4vlx Successfully assigned camunda/camunda-kc22-zeebe-gateway-645c88bc67-l4vlx to 7f55e346-fdef-4a76-9077-ca99ac20b5e1
0s Normal Scheduled pod/camunda-kc22-zeebe-gateway-645c88bc67-gq9rm Successfully assigned camunda/camunda-kc22-zeebe-gateway-645c88bc67-gq9rm to c9e79888-7a18-429c-b160-cd70a1bc30dc
0s Normal Pulled pod/camunda-kc22-zeebe-gateway-645c88bc67-l4vlx Container image "remote-docker.artifactory.swisscom.com/camunda/zeebe:8.5.0-alpha2" already present on machine
0s Normal Created pod/camunda-kc22-zeebe-gateway-645c88bc67-l4vlx Created container zeebe-gateway
0s Normal Pulled pod/camunda-kc22-zeebe-gateway-645c88bc67-gq9rm Container image "remote-docker.artifactory.swisscom.com/camunda/zeebe:8.5.0-alpha2" already present on machine
0s Normal Created pod/camunda-kc22-zeebe-gateway-645c88bc67-gq9rm Created container zeebe-gateway
0s Normal Started pod/camunda-kc22-zeebe-gateway-645c88bc67-l4vlx Started container zeebe-gateway
0s Normal Started pod/camunda-kc22-zeebe-gateway-645c88bc67-gq9rm Started container zeebe-gateway
Could someone confirm this?
Thank you.
Hazhir