-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add watch
permission for services
#2352
Conversation
Signed-off-by: Burak Ok <burakok@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from code inspection.
Hi! I would like to test it, any way to do so? Best regards. |
Correct. Best way would be check on main and then check with this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from code inspection too.
Additionally you need to start a gadget which uses the Cache. So something like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested it and I do not have the error message with your commit:
# On main
$ ./kubectl-gadget trace tcp -A | head -5 main % u=
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER T PID COMM IP SRC DST
minikube-docker kube-system coredns-6d4b75cb6d-g7gf7 coredns C 55683 coredns 4 r/127.0.0.1:56420 r/127.0.0.1:8080
minikube-docker kube-system coredns-6d4b75cb6d-g7gf7 coredns X 55683 coredns 6 r/::ffff:127.0.0.1:8080 r/::ffff:127.0.0.1:56420
minikube-docker kube-system coredns-6d4b75cb6d-g7gf7 coredns X 55683 coredns 4 r/127.0.0.1:56420 r/127.0.0.1:8080
minikube-docker kube-system coredns-6d4b75cb6d-g7gf7 coredns A 55683 coredns 6 r/::ffff:127.0.0.1:8080
$ kubectl logs -n gadget gadget-zs4tx | grep 'Failed to watch' main % u=
E0111 11:12:11.271750 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1.Service: unknown (get services)
E0111 11:12:12.447033 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1.Service: unknown (get services)
# With your commit.
$ ./kubectl-gadget trace tcp -A | head -5 burak/kubecache/perm % u=
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER T PID COMM IP SRC DST
minikube-docker kube-system kube-apiserver-minikube-docker kube-apiserver A 54998 kube-apiserver 6 r/::ffff:192.168.49.2:8443 r/::ffff:192.168.49.2:47280
minikube-docker kube-system kube-apiserver-minikube-docker kube-apiserver X 54998 kube-apiserver 6 r/::ffff:192.168.49.2:8443 r/::ffff:192.168.49.2:47280
minikube-docker kube-system kube-scheduler-minikube-docker kube-scheduler A 54996 kube-scheduler 4 r/127.0.0.1:10259 r/127.0.0.1:46364
minikube-docker kube-system kube-scheduler-minikube-docker kube-scheduler X 54996 kube-scheduler 4 r/127.0.0.1:10259
$ kubectl logs -n gadget gadget-9xbtb | grep 'Failed to watch'
$
Can you please just add a Fixes:
tag to the second commit?
Fixes: 0071cee Signed-off-by: Burak Ok <burakok@microsoft.com>
7c4fb97
to
17a94b4
Compare
After #2347 changed the way we keep a up-to-date list of all pods and services (watchers instead of polling) everything seem to work.
IPs get resolved successfully to pod names and service names.
But in the gadget logs we see the following:
1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1.Service: unknown (get services)
This PR adds the missing watch permissions for our ServiceAccount.
(I also added logging of the returned errors, but in this case they didn't help at all and logged nothing -> no error)