Skip to content

fix(agents): grant agents-api serviceaccounts/configmaps:get to stop 502 on session launch#665

Merged
ExtraToast merged 1 commit into
mainfrom
fix/agents-api-serviceaccounts-configmaps-rbac-502
Jun 15, 2026
Merged

fix(agents): grant agents-api serviceaccounts/configmaps:get to stop 502 on session launch#665
ExtraToast merged 1 commit into
mainfrom
fix/agents-api-serviceaccounts-configmaps-rbac-502

Conversation

@ExtraToast

Copy link
Copy Markdown
Owner

Problem

Every Claude session launch returns HTTP 502:

POST /api/v1/workspaces/{id}/sessions → 502

The agents-api pod logs show the real cause — an RBAC denial, not a node-selector issue:

serviceaccounts "agent-runner" is forbidden: User
"system:serviceaccount:agents-system:agents-api" cannot get resource
"serviceaccounts" in API group "" in the namespace "agents-system"

On every session launch (and setup-options / restart), Fabric8RunnerBindingInventory.inspect() runs a preflight that does a get on the runner ServiceAccount and the mcp-servers ConfigMap. The namespaced agents-api-runner-controller Role grants pods/pvc/secrets/services but not serviceaccounts or configmaps, so the get throws a 403 that KubernetesExceptionHandler maps to a 502.

This is distinct from the earlier nodes:list fix (#661): nodes is cluster-scoped and handled by the agents-api-node-reader ClusterRole + graceful degradation. serviceaccounts/configmaps are namespaced resources this Role can and should grant.

Fix

Add a read-only rule for serviceaccounts + configmaps to the namespaced Role. Both are included deliberately: serviceaccounts fails first, and configmaps is the very next inspect() check — granting only one would just move the 502 one line down.

Verification

kubectl auth can-i against the agents-api SA before the change:

get serviceaccounts: no
get configmaps:      no
get pods (sanity):   yes

Manifest validated with kubectl apply --dry-run=server (configured cleanly). Flux reconciles the grant on merge.

🤖 Generated with Claude Code

…et to stop 502 on session launch

Every session launch (and setup-options / restart) runs the
Fabric8RunnerBindingInventory.inspect() preflight, which does a `get`
on the runner ServiceAccount and the mcp-servers ConfigMap. The
namespaced agents-api-runner-controller Role grants pods/pvc/secrets/
services but not serviceaccounts or configmaps, so that get throws a
403 that KubernetesExceptionHandler maps to a 502 — breaking every
session launch:

  serviceaccounts "agent-runner" is forbidden: User
  "system:serviceaccount:agents-system:agents-api" cannot get resource
  "serviceaccounts" in API group "" in the namespace "agents-system"

Unlike the cluster-scoped nodes:list check (handled by the
agents-api-node-reader ClusterRole + graceful degradation), these are
namespaced resources the Role can and should grant. Add both:
serviceaccounts fails first, configmaps is the next inspect() check, so
granting only one would just move the 502 one line down.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ExtraToast ExtraToast merged commit c8f56d1 into main Jun 15, 2026
24 checks passed
@ExtraToast ExtraToast deleted the fix/agents-api-serviceaccounts-configmaps-rbac-502 branch June 15, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant