Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

StatefulSet forbiddened to create CRD resource #257

Conversation

c3y1huang
Copy link

@c3y1huang c3y1huang commented Feb 17, 2020

What type of PR is this?

/kind bug
/kind cleanup

What this PR does / why we need it:
Snapshotter container CrashLoopBackOff due to missing RBAC rule.

$ kubectl -n kube-system get pod | grep snapshot
csi-hostpath-snapshotter-0                            0/1     CrashLoopBackOff   1          15s

$ kubectl -n kube-system logs csi-hostpath-snapshotter-0
I0217 08:56:00.847903       1 main.go:89] Version: v1.2.0-0-gb3f591d8
F0217 08:56:00.868923       1 create_crd.go:50] failed to create VolumeSnapshotResource: &v1beta1.CustomResourceDefinition{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1beta1.CustomResourceDefinitionSpec{Group:"", Version:"", Names:v1beta1.CustomResourceDefinitionNames{Plural:"", Singular:"", ShortNames:[]string(nil), Kind:"", ListKind:"", Categories:[]string(nil)}, Scope:"", Validation:(*v1beta1.CustomResourceValidation)(nil), Subresources:(*v1beta1.CustomResourceSubresources)(nil), Versions:[]v1beta1.CustomResourceDefinitionVersion(nil), AdditionalPrinterColumns:[]v1beta1.CustomResourceColumnDefinition(nil), Conversion:(*v1beta1.CustomResourceConversion)(nil)}, Status:v1beta1.CustomResourceDefinitionStatus{Conditions:[]v1beta1.CustomResourceDefinitionCondition(nil), AcceptedNames:v1beta1.CustomResourceDefinitionNames{Plural:"", Singular:"", ShortNames:[]string(nil), Kind:"", ListKind:"", Categories:[]string(nil)}, StoredVersions:[]string(nil)}}, err: &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:"", Continue:""}, Status:"Failure", Message:"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:kube-system:csi-snapshotter\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope", Reason:"Forbidden", Details:(*v1.StatusDetails)(0xc000104240), Code:403}}

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Missing RBAC rule forbiddens to create CRD resource.
```
User \"system:serviceaccount:kube-system:csi-snapshotter\"
cannot create resource \"customresourcedefinitions\" in API
group \"apiextensions.k8s.io\" at the cluster scope",
Reason:"Forbidden"
```

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 17, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @c3y1huang!

It looks like this is your first PR to kubernetes-csi/external-snapshotter 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-csi/external-snapshotter has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Feb 17, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @c3y1huang. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: c3y1huang
To complete the pull request process, please assign lpabon
You can assign the PR to them by writing /assign @lpabon in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 17, 2020
@xing-yang
Copy link
Collaborator

Are you testing external-snapshotter version 1.2.0? If so, please use earlier version of rbac file: https://github.com/kubernetes-csi/external-snapshotter/blob/release-1.2/deploy/kubernetes/rbac.yaml#L50

The yaml files in the master support external-snapshotter 2.0 and higher where CRDs are no longer deployed by the csi-snapshotter.

@c3y1huang
Copy link
Author

Awesome, Thanks!

@c3y1huang c3y1huang closed this Feb 17, 2020
andyzhangx added a commit to andyzhangx/external-snapshotter that referenced this pull request Aug 14, 2024
988496a1f Merge pull request kubernetes-csi#257 from jakobmoellerdev/csi-prow-sidecar-e2e-path
028f8c698 chore: bump to Go 1.22.5
69bd71e8a chore: add CSI_PROW_SIDECAR_E2E_PATH

git-subtree-dir: release-tools
git-subtree-split: 988496a1fc3849ed793e03012fdd56813d13d46c
andyzhangx added a commit to andyzhangx/external-snapshotter that referenced this pull request Aug 14, 2024
988496a1f Merge pull request kubernetes-csi#257 from jakobmoellerdev/csi-prow-sidecar-e2e-path
028f8c698 chore: bump to Go 1.22.5
69bd71e8a chore: add CSI_PROW_SIDECAR_E2E_PATH
f40f0cc Merge pull request kubernetes-csi#256 from solumath/master
cfa9210 Instruction update
379a1bb Merge pull request kubernetes-csi#255 from humblec/sidecar-md
a5667bb fix typo in sidecar release process
4967685 Merge pull request kubernetes-csi#254 from bells17/add-github-actions
d9bd160 Update skip list in codespell GitHub Action
f5aebfc Add GitHub Actions workflows

git-subtree-dir: release-tools
git-subtree-split: 988496a1fc3849ed793e03012fdd56813d13d46c
dfajmon added a commit to dfajmon/external-snapshotter that referenced this pull request Aug 14, 2024
988496a1 Merge pull request kubernetes-csi#257 from jakobmoellerdev/csi-prow-sidecar-e2e-path
028f8c69 chore: bump to Go 1.22.5
69bd71e8 chore: add CSI_PROW_SIDECAR_E2E_PATH

git-subtree-dir: release-tools
git-subtree-split: 988496a1fc3849ed793e03012fdd56813d13d46c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants