fix(agents): grant agents-api serviceaccounts/configmaps:get to stop 502 on session launch#665
Merged
ExtraToast merged 1 commit intoJun 15, 2026
Conversation
…et to stop 502 on session launch Every session launch (and setup-options / restart) runs the Fabric8RunnerBindingInventory.inspect() preflight, which does a `get` on the runner ServiceAccount and the mcp-servers ConfigMap. The namespaced agents-api-runner-controller Role grants pods/pvc/secrets/ services but not serviceaccounts or configmaps, so that get throws a 403 that KubernetesExceptionHandler maps to a 502 — breaking every session launch: serviceaccounts "agent-runner" is forbidden: User "system:serviceaccount:agents-system:agents-api" cannot get resource "serviceaccounts" in API group "" in the namespace "agents-system" Unlike the cluster-scoped nodes:list check (handled by the agents-api-node-reader ClusterRole + graceful degradation), these are namespaced resources the Role can and should grant. Add both: serviceaccounts fails first, configmaps is the next inspect() check, so granting only one would just move the 502 one line down. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every Claude session launch returns HTTP 502:
The agents-api pod logs show the real cause — an RBAC denial, not a node-selector issue:
On every session launch (and setup-options / restart),
Fabric8RunnerBindingInventory.inspect()runs a preflight that does ageton the runner ServiceAccount and the mcp-servers ConfigMap. The namespacedagents-api-runner-controllerRole grantspods/pvc/secrets/servicesbut notserviceaccountsorconfigmaps, so thegetthrows a 403 thatKubernetesExceptionHandlermaps to a 502.This is distinct from the earlier
nodes:listfix (#661):nodesis cluster-scoped and handled by theagents-api-node-readerClusterRole + graceful degradation.serviceaccounts/configmapsare namespaced resources this Role can and should grant.Fix
Add a read-only rule for
serviceaccounts+configmapsto the namespaced Role. Both are included deliberately:serviceaccountsfails first, andconfigmapsis the very nextinspect()check — granting only one would just move the 502 one line down.Verification
kubectl auth can-iagainst the agents-api SA before the change:Manifest validated with
kubectl apply --dry-run=server(configured cleanly). Flux reconciles the grant on merge.🤖 Generated with Claude Code