Hello,
I have recently faced an issue with OpenShift service account access to ElasticSearch.
I can access ElasticSearch only if a service account is mapped to the cluster-admin role.
Idea is to create a new service account with access to pod/logs and set role/permissions without binding it to the cluster-admin role. Local admin is not working as well. I wonder which set of verbs and role binding do I need to use.
Did anyone face a similar issue? Any advice is welcome.
Thank you in advance!
Hey @Lilth,
OpenShift service account access to Elasticsearch
Can you clarify what you mean by "access to Elasticsearch"?
curl http://<url>:9200)?kubectl get elasticsearch)?kubectl get pod <es-pod>)?In general you can create your own (Cluster)Role and (Cluster)RoleBinding by following Openshift and/or Kubernetes documentation.
You probably want a role to access the Elasticsearch resource:
- apiGroups:
- elasticsearch.k8s.elastic.co
resources:
- elasticsearches
- elasticsearches/status
- elasticsearches/finalizers
- enterpriselicenses
- enterpriselicenses/status
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
And similar ones for the pods resource and its log subresource.
Hello @sebgl
Thank you for your reply!
Issue is fixed. I created new cluster role with get/list to pod and pod/logs.
After it, it was binded to local admin (sa) in project.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.