Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forbidden: User "$SERVICE_ACCOUNT" cannot get path "/" #804

Open
roulettedares opened this issue Feb 12, 2021 · 3 comments
Open

forbidden: User "$SERVICE_ACCOUNT" cannot get path "/" #804

roulettedares opened this issue Feb 12, 2021 · 3 comments
Labels
🪲 bug Something isn't working

Comments

@roulettedares
Copy link

roulettedares commented Feb 12, 2021
edited
Loading

Bug report

starting in krane 2.1.6, my k8s sa is hitting permissions issues. krane deploy works fine in 2.1.5

Expected behavior:

[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]	------------------------------------------Result: SUCCESS-------------------------------------------
[INFO][2021-02-12 01:56:07 +0000]	Successfully deployed 11 resources
[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]	Successful resources

Actual behavior:

[WARN][2021-02-12 03:09:44 +0000]	The following command failed (attempt 5/5): kubectl get --raw / --context\=staging --request-timeout\=1
[WARN][2021-02-12 03:09:44 +0000]	Error from server (Forbidden): forbidden: User "system:serviceaccount:staging:deployer" cannot get path "/"

[INFO][2021-02-12 03:09:44 +0000]
[INFO][2021-02-12 03:09:44 +0000]	------------------------------------------Result: FAILURE-------------------------------------------
[FATAL][2021-02-12 03:09:44 +0000]	Error retrieving raw path /: error from server (forbidden): forbidden: user "system:serviceaccount:staging:deployer" cannot get path "/"
[FATAL][2021-02-12 03:09:44 +0000]

Version(s) affected: 2.1.6

Steps to Reproduce

  1. krane deploy staging staging --no-prune -f output/my-charttemplates/

This is RBAC for my k8s SA

kind: ClusterRole # limited to namespace by using 'RoleBinding'
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer
rules:
  - apiGroups:
      - "*"
    resources:
      - configmaps
      - clusterrolebindings
      - clusterroles
      - customresourcedefinitions
      - deployments
      - events
      - horizontalpodautoscalers
      - ingresses
      - jobs
      - persistentvolumeclaims
      - persistentvolumes
      - pods
      - pods/log
      - replicasets
      - rolebindings
      - roles
      - secrets
      - serviceaccounts
      - services
      - statefulsets
    verbs:
      - create
      - get
      - list
      - patch
      - watch
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer-all-ns
rules:
  - apiGroups:
      - "*"
    resources:
      - namespaces
      - customresourcedefinitions
    verbs:
      - get
      - list

I have also tried giving the k8s SA

rules:
- nonResourceURLs:
  - /
  verbs:
  - get

Feature request

Proposal:
Document the addional RBAC required by krane 2.1.6
@roulettedares roulettedares changed the title forbidden: User "$SERVICE_ACCOUNT" cannot get path forbidden: User "$SERVICE_ACCOUNT" cannot get path "/" Feb 12, 2021
@dturn
Copy link
Contributor

dturn commented Feb 12, 2021

I definitely think this is worth documenting. We've held off on a list of RBAC resources because krane will deploy/prune anything you give it so there isn't really isn't a list of short of * that would work for everyone.

Would you be willing to PR something to our docs?

@bazzargh
Copy link

bazzargh commented Mar 1, 2021

We just hit this issue too, with a user updating to 2.1.7. Maybe worth mentioning our finds on the way here, that k8s rejected adding this permisssion to the standard discovery role kubernetes/kubernetes#45366 (we weren't sure if krane now targeted a newer k8s than we use, 1.16), and that the need for this to be documented was also mentioned in #778 (comment) (mentioning this to link the issues)

@timothysmith0609 timothysmith0609 self-assigned this Jul 22, 2021
@timothysmith0609 timothysmith0609 added the 🪲 bug Something isn't working label Jul 22, 2021
benlangfeld added a commit to powerhome/playbook that referenced this issue Sep 8, 2021
@benlangfeld
Use recent deployer image
3322edb 
This gets us a newer version of krane (1.1.3 -> 2.2.0) which we think handles mismatched CRD versions within an apiGroup better.

See:
* Shopify/krane#804
* powerhome/nitro-web#21909
* powerhome/portal#125
* powerhome/incidents#8
* powerhome/pac#1180
@benlangfeld benlangfeld mentioned this issue Sep 8, 2021
Merged
benlangfeld added a commit to powerhome/playbook that referenced this issue Sep 9, 2021
@benlangfeld
Use recent deployer image (#1614)
284aea6 
This gets us a newer version of krane (1.1.3 -> 2.2.0) which we think handles mismatched CRD versions within an apiGroup better.

See:
* Shopify/krane#804
* powerhome/nitro-web#21909
* powerhome/portal#125
* powerhome/incidents#8
* powerhome/pac#1180
@sstein-maestro
Copy link

Not sure if this issue is still active here, but I'm currently encountering the same error using krane 3.4.0 deploying to AWS EKS with a service account:
Error from server (Forbidden): forbidden: User "circleci.com" cannot get path "/"

Would anyone be able to clarify which permission needs to be added to the AWS user or role to resolve the issue? Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🪲 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bazzargh @dturn @roulettedares @timothysmith0609 @sstein-maestro