Home / server / Questions / 1157120
Accepted
Lasse Michael Mølgaard
Asked: 2024-03-30 04:17:52 +0800 CST

Kubernetes: Cannot access resources in cert-manager namespace from default namespace

  • 772

I am trying to learn how Kubernetes works, so I have made my own K3S cluster using the quickstart guide.

Then I installed Cert Manager using the guide for Helm.

I want to use Let's Encrypt certificates for my cluster and validate them using the dns01 webhook with my DNS provider Simply.com.

This can be done by using a webhook found here:

https://github.com/RunnerM/simply-dns-webhook

Currently I am testing if I can a certificate from Let's Encrypt by using their staging server.

I made the Yaml file letsencrypt-staging.yaml with the following content for ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          groupName: com.github.runnerm.cert-manager-simply-webhook
          solverName: simply-dns-solver
          config:
            secretName: simply-credentials # notice the name
      selector:
        dnsZones:
        - 'cluster.example.com'
        - '*.cluster.example.com'

My configuration file is basically a verbatim copy-paste from the example found at RunnerM GitHub page.

In order to issue a certificate I created a Yaml file called certificate-test.yaml with the following content:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-certificate
spec:
  dnsNames:
  - test.cluster.example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

  secretName: test-certificate-tls

I should then be able to get a certificate issued by using the following to commands:

kubectl apply -f letsencrypt-staging.yaml
kubectl apply -f certificate-test.yaml

However I am not getting a certificate issued.

When running kubectl describe challenge test-certificate-1-1965387138-1295925723 i get the following error message:

...
Status:
  Presented:   false
  Processing:  true
  Reason:      secrets "simply-credentials" is forbidden: User "system:serviceaccount:default:my-simply-dns-webhook" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
  State:       pending
E
...

I get that the Simply DNS webhook my-simply-dns-webhook is running in the default namespace and the Simply DNS credentials is stored in the cert-manager namespace.

So how do I permit the Simply DNS webhook to access resources in the cert-manager namespace?

Additional information

Running the command kubectl get clusterrolebindings gives amongst other the following informations:

my-simply-dns-webhook:secret-access                    ClusterRole/my-simply-dns-webhook:secret-access                    76s
simply-dns-webhook:challenge-management                ClusterRole/simply-dns-webhook:challenge-management                76s
my-simply-dns-webhook:domain-solver                    ClusterRole/my-simply-dns-webhook:domain-solver                    76s
my-simply-dns-webhook:flow-control                     ClusterRole/my-simply-dns-webhook:flow-control                     76s
my-simply-dns-webhook:auth-delegator                   ClusterRole/system:auth-delegator                                  76s

Output from kubectl get clusterrole my-simply-dns-webhook:secret-access gives the following result:

Name:         my-simply-dns-webhook:secret-access
Labels:       app=simply-dns-webhook
              app.kubernetes.io/managed-by=Helm
              chart=simply-dns-webhook-1.5.4
              heritage=Helm
              release=my-simply-dns-webhook
Annotations:  meta.helm.sh/release-name: my-simply-dns-webhook
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  secrets.*  []                 []              [get]

And the command kubectl describe clusterrolebindings my-simply-dns-webhook:secret-access gives the output:

Name:         my-simply-dns-webhook:secret-access
Labels:       app=simply-dns-webhook
              app.kubernetes.io/managed-by=Helm
              chart=simply-dns-webhook-1.5.4
              heritage=Helm
              release=my-simply-dns-webhook
Annotations:  meta.helm.sh/release-name: my-simply-dns-webhook
              meta.helm.sh/release-namespace: default
Role:
  Kind:  ClusterRole
  Name:  my-simply-dns-webhook:secret-access
Subjects:
  Kind            Name                   Namespace
  ----            ----                   ---------
  ServiceAccount  my-simply-dns-webhook  cert-manager

So what am I missing?

kubernetes

1 Answers

  1. Best Answer

    I think the simply-dns-webhook helm chart is buggy.

    It creates a ServiceAccount named simply-dns-webhook in the default namespace (or whatever namespace you pass to helm install's -n argument), but the simply-dns-webhook:secret-access ClusterRoleBinding specifies:

    roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: simply-dns-webhook:secret-access
subjects:
- kind: ServiceAccount
  name: simply-dns-webhook
  namespace: cert-manager

    That's never going to match.

    It might work if you deploy everything into the cert-manager namespace:

    helm install -n cert-manager simply-dns-webhook simply-dns-webhook/simply-dns-webhook
    • 0