Skip to content

chart: api-syncagent Role/RoleBinding leaked into 'default' namespace instead of release ns #161

@ifdotpy

Description

@ifdotpy

Problem

When helm template (or install) the api-syncagent chart against a target --namespace X, most resources correctly land in X, but the Role and RoleBinding for the events leader-election lock emerge with namespace: default instead of namespace: X.

Reproducer:

helm template test api-syncagent/api-syncagent --version 0.4.2 --namespace my-agent | grep -B1 -A10 'kind: Role'

Impact

  • On shared clusters, every sync-agent install quietly writes into default ns.
  • Multiple sync-agents collide on the same names in default (leader-election lock, etc.).
  • Violates least-privilege posture — operators targeting a dedicated namespace don't expect cluster-wide or other-ns writes.

Suspected cause

Helm templates omit .metadata.namespace on Role/RoleBinding. Helm then defaults the namespace to the --namespace flag, unless a release-namespace override is applied somewhere (e.g., {{ .Release.Namespace }} missing from the template, --create-namespace not honored, or a namespace: default literal sneaking in).

Fix

Set namespace: {{ .Release.Namespace }} on the Role + RoleBinding in the templates, matching every other namespace-scoped resource the chart emits.

Noticed at

apeirora/showroom-msp-dati during cluster-infra bring-up for a new dati-syncagent. Same behavior observed for private-llm-sync-agent and cncf-postgres-sync-agent on the same shared MSP cluster (msp03 cc-d2).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions