You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using a private registry with credentials available in authSecretName and when defining checkUpstream: true, the webhook fails to read the secret and indicates that a permission to read them at the cluster scope is missing:
2024-02-22T06:59:04Z INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443}
2024-02-22T06:59:04Z INFO controller-runtime.certwatcher Starting certificate watcher
2024-02-22T06:59:51Z INFO mutator token key: {"key": {"name":"docker-cfg","namespace":"harbor-container-webhook"}}
W0222 06:59:51.704213 1 reflector.go:535] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:harbor-container-webhook:harbor-container-webhook" cannot list resource "secrets" in API group "" at the cluster scope
If we disable checkUpstream, the connection with the private registry works fine.
Should the right ClusterRole be added to the service account created by the helm chart or should the webhook code be updated to have it work with namespaced Roles? Happy to create a PR.
The text was updated successfully, but these errors were encountered:
When using a private registry with credentials available in
authSecretName
and when definingcheckUpstream: true
, the webhook fails to read the secret and indicates that a permission to read them at the cluster scope is missing:If we disable
checkUpstream
, the connection with the private registry works fine.Should the right
ClusterRole
be added to the service account created by the helm chart or should the webhook code be updated to have it work with namespacedRole
s? Happy to create a PR.The text was updated successfully, but these errors were encountered: