Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[helm] DNS checks are missing priviledges #739

Closed
czunker opened this issue Nov 25, 2020 · 4 comments
Closed

[helm] DNS checks are missing priviledges #739

czunker opened this issue Nov 25, 2020 · 4 comments
Assignees
@joshulyne
Labels
bug Something isn't working

Comments

@czunker
Copy link
Contributor

czunker commented Nov 25, 2020

Describe the bug
The internal and external DNS checks try to query the k8s API, but are missing privileges.
The check completes, but it seems it wants to do more.

$ k -n kuberhealthy logs dns-status-internal-1606308364
...
time="2020-11-25T12:46:11Z" level=debug msg="Getting pod: dns-status-internal-1606308364 in order to get its node information"
time="2020-11-25T12:46:11Z" level=error msg="Error waiting for node to reach minimum age: pods \"dns-status-internal-1606308364\" is forbidden: User \"system:serviceaccount:kuberhealthy:default\" cannot get resource \"pods\" in API group \"\" in the namespace \"kuberhealthy\""
...
time="2020-11-25T12:46:11Z" level=debug msg="Getting pod: dns-status-internal-1606308364 in order to get its node information"
time="2020-11-25T12:46:11Z" level=error msg="Error waiting for kube proxy to be ready: error getting kuberhealthy pod: pods \"dns-status-internal-1606308364\" is forbidden: User \"system:serviceaccount:kuberhealthy:default\" cannot get resource \"pods\" in API group \"\" in the namespace \"kuberhealthy\""
...

Steps To Reproduce

  • Deploy kuberhealthy with enabled internal and external DNS checks

Expected behavior
No error messages in the log.

Screenshots

Versions

  • Cluster OS: Ubuntu 20.04
  • Kubernetes Version: 1.18.8
  • Kuberhealthy Release or build 2.3.1

Additional context

I'm not quite sure whether the API access is needed or not.
@czunker czunker added the bug Something isn't working label Nov 25, 2020
@czunker
Copy link
Contributor Author

czunker commented Nov 25, 2020

Perhaps, a possible solution is, to add a specific service account, like the one for the daemonset check. This SA could get the needed privileges to query the API.

@TBeijen
Copy link

TBeijen commented Nov 30, 2020

Noticing the same thing. Tests seem to pass though.

Looks like it's introduced in #519, where updating helm chart with needed RBAC is overlooked.

@integrii
Copy link
Collaborator

integrii commented Dec 2, 2020

Thanks for reporting this.

It looks like this is caused by our nodecheck package trying to auto-detect which node the checker pod lives on in order to be sure the node is old enough to run the check properly (sometimes there is a race condition right as nodes start up).

The code that fetches the pod information is here. Instead of using that code, we could modify nodecheck to have the node the pod runs on passed in, then we could derive the node name from the downwards API using a spec change on all checks that looks like this:

          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName

@joshulyne joshulyne mentioned this issue Dec 10, 2020
Merged
@joshulyne
Copy link
Collaborator

Addressed in merge #755 -- use the latest version of the dns check: dns-resolution-check:v1.4.2!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshulyne joshulyne

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@integrii @TBeijen @czunker @joshulyne