You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Node(s) CPU architecture, OS, and Version: Linux i10se12 5.14.21-150500.55.59-default #1 SMP PREEMPT_DYNAMIC Thu Apr 18 12:59:33 UTC 2024 (e8ae24a) aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration:
one server, one agent
Describe the bug:
Etcd3 supports role-based access control. Upon enabling authentication, k3s throws "permission denied" errors against etcd and ultimately dies.
Steps To Reproduce:
k3s is installed via the k3s binary. No datastore configurations are used, i.e. the embedded etcd is used.
Enable etcd authentication via:
$ etcdctl $PARAMS auth enable
Expected behavior:
Enabling RBAC authentication and being able to still use k3s or configure it to work.
Actual behavior:
K3s throws "permission denied" errors against etcd and ultimately dies. A snapshot from before enabling RBAC has to be loaded in order to revive the system.
Additional context / logs:
Debug journal logs:
Jun 06 16:04:46 i10se12 k3s-arm64[91813]: {"level":"info","ts":"2024-06-06T16:04:46.864101+0200","caller":"auth/store.go:257","msg":"enabled authentication"}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: {"level":"error","ts":"2024-06-06T16:04:47.323434+0200","caller":"auth/store.go:866","msg":"cannot find a user for permission check","user-name":"etcd-client","stacktrace":[...]}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: {"level":"error","ts":"2024-06-06T16:04:47.548493+0200","caller":"auth/store.go:866","msg":"cannot find a user for permission check","user-name":"etcd-client","stacktrace":[...]}
Jun 06 16:04:47 i10se12 k3s-arm64[91813]: E0606 16:04:47.548908 91813 status.go:71] apiserver received an error that is not an metav1.Status: rpctypes.EtcdError{code:0x7, desc:"etcdserver: permission denied"}: etcdserver: permission denied
[...]
The goal of enabling RBAC is to create a new etcd role & user which governs a custom prefix for application-specific tasks. The application using fields behind that prefix should not have access to the whole etcd keyrange, but just to its own keyrange, hence the dedicated role.
Is there a way to achieve such a setup with k3s + embedded etcd?
The text was updated successfully, but these errors were encountered:
No. Also, it is not supported to use the managed etcd datastore for things other than the k3s apiserver. If you want an etcd store to use for your application, stand up a separate etcd cluster for that specific use.
Environmental Info:
K3s Version: v1.29.3+k3s1 (8aecc26)
Node(s) CPU architecture, OS, and Version:
Linux i10se12 5.14.21-150500.55.59-default #1 SMP PREEMPT_DYNAMIC Thu Apr 18 12:59:33 UTC 2024 (e8ae24a) aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration:
one server, one agent
Describe the bug:
Etcd3 supports role-based access control. Upon enabling authentication, k3s throws "permission denied" errors against etcd and ultimately dies.
Steps To Reproduce:
k3s is installed via the
k3s
binary. No datastore configurations are used, i.e. the embedded etcd is used.Enable etcd authentication via:
Expected behavior:
Enabling RBAC authentication and being able to still use k3s or configure it to work.
Actual behavior:
K3s throws "permission denied" errors against etcd and ultimately dies. A snapshot from before enabling RBAC has to be loaded in order to revive the system.
Additional context / logs:
Debug journal logs:
The goal of enabling RBAC is to create a new etcd role & user which governs a custom prefix for application-specific tasks. The application using fields behind that prefix should not have access to the whole etcd keyrange, but just to its own keyrange, hence the dedicated role.
Is there a way to achieve such a setup with k3s + embedded etcd?
The text was updated successfully, but these errors were encountered: