Unable to specify a custom storage class for an sgcluster

Summary

I'm unable to apply a custom storage class to my stackgres cluster through the sgcluster crd.

Current Behaviour

When the an sgcluster crd with a storageClass specified applied via kubectl apply -f temp.yaml, it fails with the following error:

Error from server: error when creating "temp.yaml": admission webhook "sgcluster.stackgres-operator.stackgres" denied the request: Failure executing: GET at: https://32.0.0.1/apis/storage.k8s.io/v1/storageclasses/azure-disk. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. storageclasses.extensions "azure-disk" is forbidden: User "system:serviceaccount:stackgres:stackgres-operator" cannot get resource "storageclasses" in API group "extensions" at the cluster scope.

Steps to reproduce

  • Ensure that the following command is run and the namespace is created kubectl create namespace stackgres-cluster
  • Create a custom storage class, say azure-disk
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
     name: azure-disk
provisioner: kubernetes.io/azure-disk
parameters:
  storageaccounttype: Standard_LRS
  kind: Managed
  • Create a sgcluster crd and store it in a file, say temp.yaml
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
  name: test-db
  namespace: stackgres-cluster
spec:
  instances: 1
  postgres:
    version: 'latest'
  pods:
    persistentVolume:
      size: 32Gi
      storageClass: azure-disk
  • Apply the crd using the command kubectl apply -f temp.yaml

Expected Behaviour

The cluster should get provisioned

Possible Solution

At first, I thought this was a permissions issue, and tried creating a ClusterRole and ClusterRoleBinding for the service account. Unfortunately, I could not get this working.

  • I tried using the following API Groups: ["core", "storage.k8s.io", "apiextensions.k8s.io", "extensions", "storage", "core"]
  • I assigned permissions for get/list/watch
  • I allowed this for the following resources ["storageclass", "storageclasses/extensions", "storageclasses"]

This approach could work if this is really a permissions issue, but I am not sure if it is. I also don't have much experience with Kubernetes RBAC, so I might not have assigned the permissions correctly.

Environment

  • StackGres version: 1.0.0
  • Kubernetes version: 1.22.4
  • Cloud provider or hardware configuration: Azure Kubernetes Service

Relevant logs and/or screenshots

Edited by Ghost User