Issue with service account role binding

Hello,

I have recently faced an issue with OpenShift service account access to ElasticSearch.

I can access ElasticSearch only if a service account is mapped to the cluster-admin role.

Idea is to create a new service account with access to pod/logs and set role/permissions without binding it to the cluster-admin role. Local admin is not working as well. I wonder which set of verbs and role binding do I need to use.

Did anyone face a similar issue? Any advice is welcome.

Thank you in advance!

Hey @Lilth,

OpenShift service account access to ElasticSearch

Can you clarify what you mean by "access to Elasticsearch"?

  • the Elasticsearch HTTP API (curl http://<url>:9200)?
  • the Elasticsearch resource (kubectl get elasticsearch)?
  • the Elasticsearch pod (kubectl get pod <es-pod>)?

In general you can create your own (Cluster)Role and (Cluster)RoleBinding by following Openshift and/or Kubernetes documentation.

You probably want a role to access the Elasticsearch resource:

- apiGroups:
  - elasticsearch.k8s.elastic.co
  resources:
  - elasticsearches
  - elasticsearches/status
  - elasticsearches/finalizers
  - enterpriselicenses
  - enterpriselicenses/status
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

And similar ones for the pods resource and its log subresource.

Hello @sebgl

Thank you for your reply!

Issue is fixed. I created new cluster role with get/list to pod and pod/logs.
After it, it was binded to local admin (sa) in project.