This repository has been archived by the owner on Jan 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 223
TimescaleDB Single ServiceAccount missing create:service permission #599
Open
Labels
bug
Something isn't working
Comments
geilername
added a commit
to geilername/timescale-helm-charts
that referenced
this issue
Mar 29, 2023
geilername
added a commit
to geilername/timescale-helm-charts
that referenced
this issue
Mar 29, 2023
Signed-off-by: Maximilian Marschall <maximilian.marschall@3xm.at>
2 tasks
I'm having this problem as well. More specifically kubectl logs tobs0-timescaledb-1
2023-04-06 05:18:27,510 ERROR: create_config_service failed
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 950, in _create_config_service
if not self._api.create_namespaced_service(self._namespace, body):
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 483, in wrapper
return getattr(self._core_v1_api, func)(*args, **kwargs)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 419, in wrapper
return self._api_client.call_api(method, path, headers, body, **kwargs)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 388, in call_api
return self._handle_server_response(response, _preload_content)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 218, in _handle_server_response
raise k8s_client.rest.ApiException(http_resp=response)
patroni.dcs.kubernetes.K8sClient.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'a173ae86-3dfd-4d3b-99bd-4d6b4b4060d7', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '26e83d07-726c-450e-ba7d-5196d84b714d', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'e50744da-a79f-42da-bd7d-0dc68624af3e', 'Date': 'Thu, 06 Apr 2023 05:18:27 GMT', 'Content-Length': '318'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User \\"system:serviceaccount:observability:tobs0-timescaledb\\" cannot create resource \\"services\\" in API group \\"\\" in the namespace \\"observability\\"","reason":"Forbidden","details":{"kind":"services"},"code":403}\n |
Got by this particular bug via kubectl edit role tobs0-timescaledb rules:
- apiGroups:
- ""
resources:
- configmaps
- services # <-- added this
verbs:
- create
- get
- list
- patch
- update
- watch
- delete |
If you have charts locally you can Just add in
|
I met same issue. Thanks the information from @joschiwald at #601 (comment) ! 😃
I succeed using new helm upgrade \
timescale \
timescaledb-single \
--install \
--repo=https://charts.timescale.com \
--namespace=my-timescale \
--create-namespace \
--values=my-values.yaml my-values.yaml image:
repository: timescale/timescaledb-ha
tag: pg15.2-ts2.10.2-patroni-dcs-failsafe-p0 without any errors. |
This was referenced Jun 1, 2023
2 tasks
|
Think this is related to #554 Any update as to when the default helm install will use these updated container images? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What happened?
Deployed timescaledb-single chart and was receiving multiple restarts of the primary node. Upon inspecting the logs I saw
I manually added privileges to the Role for services and the error went away.
Did you expect to see something different?
That there shouldn't be an error.
How to reproduce it (as minimally and precisely as possible):
Deploy the chart?
Environment
Which helm chart and what version are you using?
timescaledb-single 0.30.0
What is in your
values.yaml
?Kubernetes version information:
kubectl version
AWS EKS via terraform
Anything else we need to know?:
The text was updated successfully, but these errors were encountered: