Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't start workspace (Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "mkdir-workspace9i8bnzy7uvrtp60c" is forbidden: User "system:serviceaccount:eclipse-che:che" cannot get resource "pods/log" in API group "" in the namespace "mtsmfm-che".) #20681

Closed
mtsmfm opened this issue Oct 22, 2021 · 3 comments
Closed

Can't start workspace (Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "mkdir-workspace9i8bnzy7uvrtp60c" is forbidden: User "system:serviceaccount:eclipse-che:che" cannot get resource "pods/log" in API group "" in the namespace "mtsmfm-che".) #20681

mtsmfm opened this issue Oct 22, 2021 · 3 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.41

Comments

@mtsmfm
Copy link
Contributor

mtsmfm commented Oct 22, 2021

Describe the bug

For some reason I met this error.

Failure executing: GET at: https://172.20.0.1/api/v1/namespaces/mtsmfm-che/pods/mkdir-workspace9i8bnzy7uvrtp60c/log?pretty=false. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "mkdir-workspace9i8bnzy7uvrtp60c" is forbidden: User "system:serviceaccount:eclipse-che:che" cannot get resource "pods/log" in API group "" in the namespace "mtsmfm-che".

Restarting workspace doesn't help.
Removing namespace can solve this problem but my persistent volumes will be lost.

Che version

7.37

Steps to reproduce

  1. Start workspace
  2. Stop workspace
  3. (Something is needed but I'm not sure the exact step to reproduce)
  4. Start workspace

Expected behavior

Workspace starts successfully

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

other (please specify in additional context)

Environment

Amazon

Eclipse Che Logs

No response

Additional context

Runtime is Amazon EKS.

We install che via argocd.
We use che-operator's manifests.

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: eclipse-che
resources:
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/crd/bases/org_v1_che_crd.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/crd/bases/org.eclipse.che_chebackupserverconfigurations_crd.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/crd/bases/org.eclipse.che_checlusterbackups_crd.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/crd/bases/org.eclipse.che_checlusterrestores_crd.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/rbac/cluster_role.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/rbac/cluster_rolebinding.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/manager/manager.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/rbac/role.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/rbac/role_binding.yaml
  - https://raw.githubusercontent.com/eclipse-che/che-operator/7.37.0/config/rbac/service_account.yaml
@mtsmfm mtsmfm added the kind/bug Outline of a bug - must adhere to the bug report template. label Oct 22, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Oct 22, 2021
@tolusha
Copy link
Contributor

tolusha commented Oct 24, 2021

I don't see if operator delegates this role to che service account.

[1] https://github.com/eclipse-che/che-operator/blob/main/controllers/che/workspace_namespace_permission.go#L251-L255

@ibuziuk ibuziuk added severity/P1 Has a major impact to usage or development of the system. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator area/install Issues related to installation, including offline/air gap and initial setup and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Oct 25, 2021
@tolusha tolusha removed the area/install Issues related to installation, including offline/air gap and initial setup label Nov 4, 2021
@tolusha tolusha mentioned this issue Nov 29, 2021
Closed
28 tasks
@tolusha
Copy link
Contributor

tolusha commented Nov 30, 2021

I think we have to delegate edit cluster roles like was done here
https://github.com/eclipse-che/che-operator/blob/5c6d066f183f740be6075380026e5adc1339739d/pkg/controller/che/workspace_namespace_permission.go#L159-L168

@tolusha
Copy link
Contributor

tolusha commented Nov 30, 2021

Might be related
#20396

@tolusha tolusha modified the milestones: 7.40, 7.41 Dec 1, 2021
@tolusha tolusha mentioned this issue Dec 2, 2021
Merged
11 tasks
@tolusha tolusha closed this as completed Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.41
Development

No branches or pull requests
4 participants
@ibuziuk @tolusha @mtsmfm @che-bot