Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: cannot bind workspaces to location workspace #2597

Closed
kasturinarra opened this issue Jan 11, 2023 · 6 comments · Fixed by #2618
Closed

bug: cannot bind workspaces to location workspace #2597

kasturinarra opened this issue Jan 11, 2023 · 6 comments · Fixed by #2618
Assignees
@qiujian16
Labels
area/transparent-multi-cluster Related to scheduling of workloads into pclusters. kind/bug Categorizes issue or PR as related to a bug.

Comments

@kasturinarra
Copy link
Contributor

kasturinarra commented Jan 11, 2023
edited
Loading

Describe the bug

when trying to bind workspace to location workspace below error is seen
error: apibindings.apis.kcp.dev "kubernetes-1pre20xf" is forbidden: unable to create APIImport: no permission to bind to export "kubernetes"

Steps To Reproduce

  1. Go to user home workspace
  2. create new kcp workspace called qe-experiment
  3. kcp workload sync command to add sync target
  4. wait for synctarget to be ready
  5. create deployment in the same ws qe-experiment , deployment in 0/1 state
  6. Bind using the command kubectl kcp bind compute "root:users:lw:ao:rh-sso-knarrakcp:qe-experiment"

Expected Behaviour

workspace should be binded to location workspace

Additional Context

No response
@kasturinarra kasturinarra added the kind/bug Categorizes issue or PR as related to a bug. label Jan 11, 2023
@stevekuznetsov
Copy link
Contributor

stevekuznetsov commented Jan 11, 2023
edited
Loading

@kasturinarra what version of kcp are you using? And what version of kubectl kcp plugin?

@kasturinarra
Copy link
Contributor Author

kasturinarra commented Jan 12, 2023
edited
Loading

@kasturinarra what version of kcp are you using? And what version of kubectl kcp plugin?

@stevekuznetsov both are v0.10.0, since cluster is gone, cannot paste kcp version and pasting kubectl kcp plugin version.

[knarra@knarra ~]$ kubectl kcp --version
kcp version v1.24.3+kcp-v0.10.0

@qiujian16
Copy link
Contributor

is location workspace also qe-experiment? I think you run sync command against qe-experiment workspace?

@kasturinarra
Copy link
Contributor Author

is location workspace also qe-experiment? I think you run sync command against qe-experiment workspace?

yes, location workspace also qe-experiment.

@kasturinarra
Copy link
Contributor Author

is location workspace also qe-experiment? I think you run sync command against qe-experiment workspace?

yes, location workspace also qe-experiment.

Just an FYI, i tried with two workspaces one for compute and another for workloads but still hit same issue.

@kasturinarra
Copy link
Contributor Author

kasturinarra commented Jan 12, 2023
edited
Loading

Thanks to @ncdc and @davidfestal we were finally able to root cause the issue.

After performing steps below i see that i could successfully bind workspaces to location workspace.

  1. create a clusterrole in root:compute workspace and yaml for the clusterrole looks something like below
[knarra@knarra kcp]$ cat /tmp/clusterrole.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:kcp:apiexport:tenancy:bind
rules:
- apiGroups: ["apis.kcp.dev"]
  resources:
  - "apiexports"
  resourceNames:
  - "kubernetes"
  verbs: ["bind"]
  1. create clusterrolebinding in root:compute workspace and yaml for the clusterrolebinding would look something like below
[knarra@knarra kcp]$ cat /tmp/clusterrolebinding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kcp:authenticated:apiexport:tenancy:bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kcp:apiexport:tenancy:bind
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
  1. Now run the kcp bind command and it works fine.

@davidfestal davidfestal added the area/transparent-multi-cluster Related to scheduling of workloads into pclusters. label Jan 12, 2023
@qiujian16 qiujian16 mentioned this issue Jan 13, 2023
Merged
@davidfestal davidfestal mentioned this issue Nov 23, 2023
Open
@kasturinarra kasturinarra mentioned this issue Jan 17, 2023
Open
@MikeSpreitzer MikeSpreitzer mentioned this issue Jan 19, 2023
Closed
@kasturinarra kasturinarra mentioned this issue Jan 31, 2023
Closed
@kasturinarra kasturinarra mentioned this issue Nov 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qiujian16 qiujian16

Labels
area/transparent-multi-cluster Related to scheduling of workloads into pclusters. kind/bug Categorizes issue or PR as related to a bug.
Projects
kcp
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 Add bind permission for kubernetes apiexport qiujian16/kcp
4 participants
@davidfestal @qiujian16 @kasturinarra @stevekuznetsov