Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Missing permissions for cloud-controller-manager service account #190

Closed
fad3t opened this issue Oct 3, 2024 · 2 comments · Fixed by #191 or nutanix/helm#156
Closed

Missing permissions for cloud-controller-manager service account #190

fad3t opened this issue Oct 3, 2024 · 2 comments · Fixed by #191 or nutanix/helm#156

Comments

@fad3t
Copy link
Contributor

fad3t commented Oct 3, 2024

/kind bug

I'm seeing the following messages in the logs of the cloud controller manager pod:

W1003 08:14:44.422834       1 reflector.go:547] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope
E1003 08:14:44.422873       1 reflector.go:150] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope

I can prepare a PR that updates the RBAC configuration and adds the missing permission, but I wanted to ask first if this is expected?

  • cloud-provider-nutanix version: v0.4.1
  • Kubernetes version: (use kubectl version): v1.29.5
  • OS (e.g. from /etc/os-release): ubuntu 22.04
@nutanix-cn-prow-bot
Copy link

@fad3t: The label(s) kind/bug cannot be applied, because the repository doesn't have them.

In response to this:

/kind bug

I'm seeing the following messages in the logs of the cloud controller manager pod:

W1003 08:14:44.422834       1 reflector.go:547] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope
E1003 08:14:44.422873       1 reflector.go:150] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope

I can prepare a PR that updates the RBAC configuration and adds the missing permission, but I wanted to ask first if this is expected?

  • cloud-provider-nutanix version: v0.4.1
  • Kubernetes version: (use kubectl version): v1.29.5
  • OS (e.g. from /etc/os-release): ubuntu 22.04

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Oct 25, 2024
Merged
Merged
@nutanix-cn-prow-bot
Copy link

@fad3t: The label(s) kind/bug cannot be applied, because the repository doesn't have them.

In response to this:

/kind bug

I'm seeing the following messages in the logs of the cloud controller manager pod:

W1003 08:14:44.422834       1 reflector.go:547] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope
E1003 08:14:44.422873       1 reflector.go:150] k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot list resource "services" in API group "" at the cluster scope

I can prepare a PR that updates the RBAC configuration and adds the missing permission, but I wanted to ask first if this is expected?

  • cloud-provider-nutanix version: v0.4.1
  • Kubernetes version: (use kubectl version): v1.29.5
  • OS (e.g. from /etc/os-release): ubuntu 22.04

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

thunderboltsid pushed a commit that referenced this issue Dec 16, 2024
@fad3t
fix(rbac): add read access to services (#191)
0443599 
**What this PR does / why we need it**:
Add services RO permission to the `system:cloud-controller-manager`
cluster role.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(,
fixes #<issue_number>, ...)` format, will close the issue(s) when PR
gets merged)*:
Fixes #190 

**Release note**:
<!--  Write your release note:
1. Enter your extended release note in the below block. If the PR
requires additional action from users switching to the new release,
include the string "action required".
2. If no release note is required, just write "NONE".
-->
```release-note
fix(rbac): allow cloud controller manager to read services
```
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@fad3t