Looking for help with an error I receive when trying to deploy to a cluster with Terraform. I am not a Cluster Owner in Rancher, and have seen this error previously but the only way around it has been to make the user a cluster owner, however the DoD STIG says that no more than one person can be a cluster owner, which I am not that one person. The error I receive is :
“Failed to get existing workspaces: secrets is forbidden: User “u-#####” cannot list resource “secrets” in the API group “” in the namespace “default”
I am only trying to run a terraform init, and nothing in my scripts goes to the default namespace. Unfortunately, my team is not in control of the cluster or Rancher. The engineers that are, have given me ownership of the project my app will eventually be in. Is there any way to get past this error without making my user a cluster owner? That’s the only thing that has worked in the past.
08/23/2022, 6:23 PM
Have you considered that perhaps the “owner” for auditing purposes shouldn’t also be tied to the “owner” RBAC role? Like maybe you put an annotation on the cluster to denote the single named individual that “owns” it for purposes of the STIG, but grant other users access to it via RBAC?
08/23/2022, 6:27 PM
I have not as I don’t own the cluster, my team simply is a user of it to deploy/host our application, but i can mention this to the engineers that own it.
08/23/2022, 6:44 PM
yeah I think they’ve addressed the STIG requirement the wrong way. Having an individual who “owns” the cluster for resource tracking purposes doesn’t mean that only one user can have the “cluster owner” role.
08/24/2022, 2:18 PM
Thanks for the tip. I’m gonna pass this along to them. I was able to convince them to give me Cluster Owner, but i believe they are still looking for a way around that, so this info could be really helpful for them. Thank you!