Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions which are required for the persistence is not optional for non-persistence clusters #22538

Closed
hasancelik opened this issue Oct 19, 2022 · 0 comments · Fixed by #22539
Closed

Permissions which are required for the persistence is not optional for non-persistence clusters #22538

hasancelik opened this issue Oct 19, 2022 · 0 comments · Fixed by #22539
Assignees
@vbekiaris
Labels
Module: Discovery SPI Source: Internal PR or issue was opened by an employee Team: Cloud Native Team: Core Type: Defect
Milestone
5.2.0

Comments

@hasancelik
Copy link
Contributor

Newly introduced k8s persistence improvements required a new set of RBAC permissions. Still, our k8s discovery plugin is trying to use those endpoints even if the user does not enable the persistence for the cluster.

related to #21844

Exception in thread "hz-k8s-sts-monitor" com.hazelcast.spi.exception.RestClientException: Failure executing: GET at: https://kubernetes.default.svc/apis/apps/v1/namespaces/default/statefulsets. Message: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"statefulsets.apps is forbidden: User \"system:serviceaccount:default:hazelcast\" cannot list resource \"statefulsets\" in API group \"apps\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"apps","kind":"statefulsets"},"code":403}. HTTP Error Code: 403
        at com.hazelcast.spi.utils.RestClient.checkResponseCode(RestClient.java:227)
        at com.hazelcast.spi.utils.RestClient.call(RestClient.java:164)
        at com.hazelcast.spi.utils.RestClient.lambda$callWithRetries$0(RestClient.java:134)
        at com.hazelcast.spi.utils.RetryUtils.retry(RetryUtils.java:65)
        at com.hazelcast.spi.utils.RetryUtils.retry(RetryUtils.java:51)
        at com.hazelcast.spi.utils.RestClient.callWithRetries(RestClient.java:134)
        at com.hazelcast.spi.utils.RestClient.get(RestClient.java:126)
        at com.hazelcast.kubernetes.KubernetesClient.lambda$callGet$0(KubernetesClient.java:545)
        at com.hazelcast.spi.utils.RetryUtils.retry(RetryUtils.java:65)
        at com.hazelcast.kubernetes.KubernetesClient.callGet(KubernetesClient.java:541)
        at com.hazelcast.kubernetes.KubernetesClient.access$200(KubernetesClient.java:53)
        at com.hazelcast.kubernetes.KubernetesClient$StsMonitor.run(KubernetesClient.java:711)
        at java.base/java.lang.Thread.run(Thread.java:829)
@hasancelik hasancelik added this to the 5.2.0 milestone Oct 19, 2022
@vbekiaris vbekiaris mentioned this issue Oct 19, 2022
Merged
vbekiaris added a commit that referenced this issue Oct 19, 2022
@vbekiaris
Only start k8s sts monitor when tracker enabled (#22539)
f84956f 
The kubernetes statefulset monitor thread should be only started
when clusterTopologyIntentTracker is not null and is enabled.
Fixes #22538 

Also update kubernetes-rbac.yaml, adding rules to allow access
for watching statefulsets which is required when using Hazelcast EE
with persistence enabled for automatic cluster state management.
vbekiaris added a commit to vbekiaris/hazelcast that referenced this issue Oct 19, 2022
@vbekiaris
Only start k8s sts monitor when tracker enabled
b5cd826 
The kubernetes statefulset monitor thread should be only started
when clusterTopologyIntentTracker is not null and is enabled.
Fixes hazelcast#22538

Also update kubernetes-rbac.yaml, adding rules to allow access
for watching statefulsets which is required when using Hazelcast EE
with persistence enabled for automatic cluster state management.

(cherry picked from commit f84956f)
vbekiaris added a commit to vbekiaris/hazelcast that referenced this issue Oct 19, 2022
@vbekiaris
Only start k8s sts monitor when tracker enabled
4fc5812 
The kubernetes statefulset monitor thread should be only started
when clusterTopologyIntentTracker is not null and is enabled.
Fixes hazelcast#22538

Also update kubernetes-rbac.yaml, adding rules to allow access
for watching statefulsets which is required when using Hazelcast EE
with persistence enabled for automatic cluster state management.

(cherry picked from commit f84956f)
This was referenced Oct 19, 2022
Merged
Merged
vbekiaris added a commit that referenced this issue Oct 20, 2022
@vbekiaris
Start k8s sts monitor only when tracker enabled [5.2.z] (#22549)
007659d 
The kubernetes statefulset monitor thread should be only started when
clusterTopologyIntentTracker is not null and is enabled. Fixes #22538

Also update kubernetes-rbac.yaml, adding rules to allow access for
watching statefulsets which is required when using Hazelcast EE with
persistence enabled for automatic cluster state management.

(cherry picked from commit f84956f)
1:1 clean backport of #22539
vbekiaris added a commit that referenced this issue Oct 20, 2022
@vbekiaris
Start k8s sts monitor only when tracker enabled [5.2.0] (#22548)
58648d1 
The kubernetes statefulset monitor thread should be only started when
clusterTopologyIntentTracker is not null and is enabled. Fixes #22538

Also update kubernetes-rbac.yaml, adding rules to allow access for
watching statefulsets which is required when using Hazelcast EE with
persistence enabled for automatic cluster state management.

(cherry picked from commit f84956f)
1:1 clean backport of #22539
@neilstevenson neilstevenson mentioned this issue Oct 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vbekiaris vbekiaris

Labels
Module: Discovery SPI Source: Internal PR or issue was opened by an employee Team: Cloud Native Team: Core Type: Defect
Projects
None yet
Milestone
5.2.0
Development

Successfully merging a pull request may close this issue.

Only start k8s sts monitor when tracker enabled vbekiaris/hazelcast
2 participants
@vbekiaris @hasancelik