New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VersionApi call not allowed when ClusterRole system:discovery is used in binding to a service account #153
Comments
oops, didn't mean to close this... |
I've sent a PR to upstream Kubernetes to add this permission to the |
Great! I had wondered if the So when I did a search on kubernetes.io I did not seem to find information on the non-resource URLs. Can you provide a reference to the spec about non-resource URLs that you have referenced here for the version? Thanks |
Okay, I was just looking around in the repo and the path should be https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json I noticed when looking in API folder there is also https://github.com/kubernetes/kubernetes/blob/master/api/swagger-spec/version.json which has no trailing slash. Thanks again for the help... |
I wouldn't expect the openapi spec to have a trailing slash |
Well, it's there: @mbohlool any idea why the trailing slash is there? |
Automatic merge from submit-queue (batch tested with PRs 57349, 57368). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add '/version/' to the system:discovery role, since that's what the spec says. See: kubernetes-client/java#153 ```release-note Add the path '/version/' to the `system:discovery` cluster role. ```
I'm closing this, since the change is merged into upstream Kubernetes, and there's not much more we can do here unless the openapi spec changes. |
See https://github.com/kubernetes-client/java/blob/master/kubernetes/src/main/java/io/kubernetes/client/apis/VersionApi.java
Issue:
VersionApi.getCodeCall() uses
/version/
when calling apiClient.buildCall() at line 102.If you bind the ClusterRole system:discovery to a service account when RBAC is enabled the call fails with HTTP 403
Workaround:
The text was updated successfully, but these errors were encountered: