Turning rbac on then off will "destroy" the cluster

If you have a microk8s cluster without RBAC enabled (which is the default setting) be very careful

In my case, I have turned it on microk8s enable rbac to see how it will forbid access

But then I realized that I did not check behavior without RBAC so decided to turn it off

And as you can guess with RBAC all roles and role bindings were also removed so immediately I have lose all components I tried to configure (e.g. ingress, cert-manager, etc)

Turning RBAC back again won’t recover loosen objects, turning off/on corrupted components is also not possible, for example, ha-cluster complains that if I will do it cluster will be wiped out

So I did break everything in a single command, thankfully it was my playground lab

Will be nice if microk8s before removing RBAC will notify the user what will happen and ask confirmation

Hi! Can you provide a little more information about the MicroK8s version you are running? This should not happen, after disabling RBAC the MicroK8s cluster should not break.

Can you also provide a little more information about what exactly happened in this case?

Version was 1.21 from stable channel

Cluster (microk8s) itself was fine and working, the problem is with all deployments on tops which are dependant on rbac

Like if you setup microk8s, then enable ingress and install cert manager (they both will add a bunch of roles and binding)

Then turn on/off rbac, roles and bindings will be deleted, from logs of ingress controller will see bazillion of error

Hopefully that’s describe it little bit better

Hi Alexandr_Marchenko:

Haven’t used microk8s myself, but the action of disabling RBAC in microk8s is described on the official repo:

There’s a tmp_manifest="${SNAP_USER_DATA}/tmp/temp.rbac.yaml" file where everything is dumped before it gets removed from Kubernetes:

$KUBECTL get ${type} --all-namespaces --selector kubernetes.io/bootstrapping=rbac-defaults -o yaml >> "${tmp_manifest}"

Maybe the ${tmp_manifest} file is still in your computer and you’re able to recover the manifests from it.

Best regards,


Really good finding :+1:

Indeed seems like it might be a solution for such cases, but at the very end it seems that with microk8s RBAC is something should be enabled from start and never touched again later :man_shrugging:

PS: At moment wish not to touch it again to check if temp will be saved :slight_smile: