Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[openstack-cloud-controller-manager] Serviceaccount cannot patch resource "services" #1722

Closed
jichenjc opened this issue Dec 27, 2021 · 14 comments · Fixed by #1755
Closed

[openstack-cloud-controller-manager] Serviceaccount cannot patch resource "services" #1722

jichenjc opened this issue Dec 27, 2021 · 14 comments · Fixed by #1755

Comments

@jichenjc
Copy link
Contributor

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug
/kind feature

What happened:

create a LB follow
https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md

kind: Service
apiVersion: v1
metadata:
  name: hello-world
  annotations:
    service.beta.kubernetes.io/brightbox-load-balancer-healthcheck-request: /
spec:
  type: LoadBalancer
  selector:
    app: hello-world
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: web

in logs seems

E1226 09:11:24.522851       1 controller.go:307] error processing service example/hello-world (will retry): failed to ensure load balancer: failed to patch service object example/hello-world: services "hello-world" is forbidden: User "system:serviceaccount:kube-system:cloud-provider-openstack" cannot patch resource "services" in API group "" in the namespace "example"
I1226 09:11:24.523070       1 event.go:291] "Event occurred" object="example/hello-world" kind="Service" apiVersion="v1" type="Warning" reason="SyncLoadBalancerFailed" message="Error syncing load balancer: failed to ensure load balancer: failed to patch service object example/hello-world: services \"hello-world\" is forbidden: User \"system:serviceaccount:kube-system:cloud-provider-openstack\" cannot patch resource \"services\" in API group \"\" in the namespace \"example\""

it's weird why "system:serviceaccount:kube-system:cloud-provider-openstack\" is used

I created following command

kubectl create clusterrolebinding my-1 --clusterrole=system:cloud-controller-manager --serviceaccount=kube-system:cloud-provider-openstack

and it works fine in the LB after the clusterrolebinding created
it's weird why kube-system:cloud-provider-openstack is created
What you expected to happen:

How to reproduce it:

Anything else we need to know?:

Environment:

  • openstack-cloud-controller-manager(or other related binary) version:
  • OpenStack version:
  • Others:
@jichenjc
Copy link
Contributor Author

opening this to track the problem as this is first time I saw this kind of issue

@lingxiankong lingxiankong changed the title "system:serviceaccount:kube-system:cloud-provider-openstack\" cannot patch resource \"services\" in API group \"\" in the namespace \"default\ [openstack-cloud-controller-manager] Serviceaccount cannot patch resource "services" Jan 9, 2022
@lingxiankong lingxiankong mentioned this issue Jan 21, 2022
Merged
@zetaab zetaab mentioned this issue Jan 25, 2022
Merged
@jacksgt
Copy link
Contributor

jacksgt commented Feb 24, 2022
edited

Hello,

I'm still seeing this error with the release-1.23 version (0807b16) and the latest Helm chart from master (d0f3cad).

kubectl create svc loadbalancer mv-lb results in:

E0224 09:41:12.619482       1 controller.go:310] error processing service default/mv-lb (will retry): failed to ensure load balancer: failed to patch service object default/mv-lb: services "mv-lb" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"

The daemonset is using the service account openstack-cloud-controller-manager:

  spec:
    revisionHistoryLimit: 10
    selector:
      matchLabels:
        app: openstack-cloud-controller-manager
        component: controllermanager
        release: openstack-cloud-controller
    template:
      metadata:
        annotations:
          checksum/config: ed0a9897da2498221063e2119422aafa31b3f2f255035fcdf6774b8f22dd32fd
          kubectl.kubernetes.io/restartedAt: "2022-02-24T10:39:33+01:00"
        creationTimestamp: null
        labels:
          app: openstack-cloud-controller-manager
          chart: openstack-cloud-controller-manager-1.2.0
          component: controllermanager
          heritage: Helm
          release: openstack-cloud-controller
      spec:
        containers:
        - args:
          - /bin/openstack-cloud-controller-manager
          - --v=2
          - --cloud-config=$(CLOUD_CONFIG)
          - --cloud-provider=openstack
          - --use-service-account-credentials=true
          - --controllers=service
          - --bind-address=0.0.0.0
          - --cluster-name=clu-jack-dev
          env:
          - name: CLOUD_CONFIG
            value: /etc/config/cloud.conf
          image: registry.cern.ch/jhensche/occm:cern-1.23-dev
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: http
              scheme: HTTPS
            initialDelaySeconds: 60
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          name: openstack-cloud-controller-manager
          ports:
          - containerPort: 10258
            hostPort: 10258
            name: http
            protocol: TCP
          resources:
            limits:
              memory: 512Mi
            requests:
              memory: 50Mi
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
          - mountPath: /etc/config
            name: cloud-config-volume
            readOnly: true
        dnsPolicy: ClusterFirst
        hostNetwork: true
        nodeSelector:
          node-role.kubernetes.io/master: ""
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        serviceAccount: openstack-cloud-controller-manager
        serviceAccountName: openstack-cloud-controller-manager
        terminationGracePeriodSeconds: 30
        tolerations:
        - effect: NoSchedule
          key: node.cloudprovider.kubernetes.io/uninitialized
          value: "true"
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        volumes:
        - name: cloud-config-volume
          secret:
            defaultMode: 420
            secretName: cloud-config
    updateStrategy:
      rollingUpdate:
        maxSurge: 0
        maxUnavailable: 1
      type: RollingUpdate

which has the following ClusterRole / ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  creationTimestamp: "2022-02-02T10:40:55Z"
  labels:
    argocd.argoproj.io/instance: openstack-cloud-controller
  name: system:openstack-cloud-controller-manager
  resourceVersion: "21118211"
  uid: eff6fcf3-cd16-45fe-8aab-b65805e92b01
rules:
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - create
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - get
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - list
  - watch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - list
  - get
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2022-02-02T10:40:55Z"
  labels:
    argocd.argoproj.io/instance: openstack-cloud-controller
  name: system:openstack-cloud-controller-manager
  resourceVersion: "21118235"
  uid: b004e774-5ff8-4391-88e4-ccf39e231a8d
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openstack-cloud-controller-manager
subjects:
- kind: ServiceAccount
  name: openstack-cloud-controller-manager
  namespace: openshift-cern-cloud-controller

In particular the ClusterRole has this part, so it should be allowed to modify services in all namespaces:

- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - patch
  - update
  - watch

Since the controller is running witht the service account "openstack-cloud-controller-manager", I don't understand why it identifies itself as "system:serviceaccount:kube-system:cloud-controller-manager" (especially since it's NOT running in the kube-system namespace).

/ping @lingxiankong @jichenjc

@lingxiankong
Copy link
Contributor

@jacksgt Which namespace is the openstack-cloud-controller-manager deployed?

@jacksgt
Copy link
Contributor

jacksgt commented Feb 27, 2022 via email

@lingxiankong
Copy link
Contributor

Since the --use-service-account-credentials=true is specified, cloud controller manager will manage all the controllers' service account in kube-system namespace.

@jacksgt
Copy link
Contributor

jacksgt commented Feb 28, 2022

Hi Lingxian,
I don't understand what you are referring to. Could you elaborate?

To my understanding, --use-service-account-credentials=true means that OCCM will use the credentials of the pod it is running in - in my case this is the openstack-cloud-controller-manager service account in the openshift-cern-cloud-controller namespace.
This has been working like this in v1.20 of OCCM.

Why would OCCM now use a different service account (in a different namespace). Is this a breaking change / regression?

@lingxiankong
Copy link
Contributor

Why would OCCM now use a different service account (in a different namespace). Is this a breaking change / regression?

I remember this change was added together with the shared load balancer feature support. However, keep in mind that setting the --use-service-account-credentials to true runs each control loop within the cloud controller manager using a separate service account credential. You didn't see the issue before because OCCM was not updating resources in its loop.

You can try to set --use-service-account-credentials=false, the cloud controller manager will use openstack-cloud-controller-manager service account in the openshift-cern-cloud-controller namespace.

@jacksgt jacksgt mentioned this issue Feb 28, 2022
Merged
@jacksgt
Copy link
Contributor

jacksgt commented Feb 28, 2022

Thank you for the explanation! I understood now.

As you suggested, I tried setting --use-service-account-credentials=false and it mostly worked, except this error:

failed to add load balancer cleanup finalizer: services "my-lb" is forbidden: User "system:serviceaccount:openshift-cern-cloud-controller:openstack-cloud-controller-manager" cannot patch resource "services/status" in API group "" in the namespace "default"

I had to slightly modify the Helm chart for the required permissions and submitted a PR here: #1802

@jichenjc jichenjc mentioned this issue Aug 31, 2022
Closed
@jichenjc jichenjc mentioned this issue Dec 8, 2022
Closed
@mkjpryor
Copy link

@jacksgt

How are you setting --use-service-account-credentials=false in the Helm chart?

It seems like it is hard-coded in the Helm chart here: https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/templates/daemonset.yaml#L43

@jacksgt
Copy link
Contributor

jacksgt commented Jan 31, 2023

@mkjpryor You can specify additional arguments with Values.controllerExtraArgs.
Since those will be added later on, they will overwrite the "hardcoded" arguments.

controllerExtraArgs:
  - "--use-service-account-credentials=false"

ghost pushed a commit to teutonet/teutonet-helm-charts that referenced this issue May 10, 2023
fix(cloud-controller-manager): Don't use service-account credentials
2b15232 
The default setting of the openstack-cloud-controller-manager uses two
different service accounts with differing permissions. This leads to issues,
especially when creating load-balancer services, where the wrong serivce
account is used and consequently not allowed to do the things required to
actually make things work.

This is a workaround that forces the openstack-cloud-controller-manager to
just use one single service account, which makes things work again.

Fixes:
Error syncing load balancer: failed to ensure load balancer: failed to patch service object ingress-nginx/ingress-nginx-controller: services "ingress-nginx-controller" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "ingress-nginx"

References:
- kubernetes/cloud-provider-openstack#2049
- kubernetes/cloud-provider-openstack#1722
@ghost ghost mentioned this issue May 10, 2023
Merged
ghost pushed a commit to teutonet/teutonet-helm-charts that referenced this issue May 10, 2023
fix(t8s-cluster/cloud-controller-manager): Don't use service-account …
151960c 
…credentials (#412)

The default setting of the openstack-cloud-controller-manager uses two
different service accounts with differing permissions. This leads to
issues, especially when creating load-balancer services, where the wrong
serivce account is used and consequently not allowed to do the things
required to actually make things work.

This is a workaround that forces the openstack-cloud-controller-manager
to just use one single service account, which makes things work again.

Fixes:
Error syncing load balancer: failed to ensure load balancer: failed to
patch service object ingress-nginx/ingress-nginx-controller: services
"ingress-nginx-controller" is forbidden: User
"system:serviceaccount:kube-system:cloud-controller-manager" cannot
patch resource "services" in API group "" in the namespace
"ingress-nginx"

References:
- kubernetes/cloud-provider-openstack#2049
- kubernetes/cloud-provider-openstack#1722

Co-authored-by: Sebastian Lehne <sl@teuto.net>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 22, 2023
@wwentland
Use standard service account name in OCCM helm chart
3a7d123 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager.

The change is motivated by a number of reasons, namely:

- Creates suitable service accounts, cluster roles and cluster role
  bindings for `--use-service-accounts-credentials=true`
- Normalises service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 22, 2023
@wwentland
Use standard service account name in OCCM helm chart
53679dc 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager.

The change is motivated by a number of reasons, namely:

- Creates suitable service accounts, cluster roles and cluster role
  bindings for `--use-service-accounts-credentials=true`
- Normalises service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 22, 2023
@wwentland
Use standard service account name in OCCM helm chart
f72968d 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
@wwentland wwentland mentioned this issue Aug 22, 2023
Merged
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 23, 2023
@wwentland
Use standard service account name in OCCM helm chart
2eaf05d 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 23, 2023
@wwentland
Use standard service account name in OCCM helm chart
0975575 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Aug 23, 2023
@wwentland
Use standard service account name in OCCM helm chart
a13f7cd 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
k8s-ci-robot pushed a commit that referenced this issue Aug 28, 2023
@wwentland
Use standard service account name in OCCM helm chart (#2332)
c02269d 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- #2049
- #1722
- #1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
@till
Copy link
Contributor

till commented Oct 18, 2023

@jacksgt sorry for reviving this, but is this released?

I just checked an older cluster where we used the manifests (and kustomize) to deploy the OCCM. It seems like --use-service-account-credentials=true works there. But when I deploy the OCCM with the helm chart, I need to disable it?

Error message:

Error syncing load balancer: failed to ensure load balancer: failed to patch service object haproxy-ingress/haproxy-ingress: services "haproxy-ingress" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "haproxy-ingress"

kubectl describe ClusterRole/system:openstack-cloud-controller-manager
Name:         system:openstack-cloud-controller-manager
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: openstack-cloud-controller-manager
              meta.helm.sh/release-namespace: kube-system
PolicyRule:
  Resources                   Non-Resource URLs  Resource Names  Verbs
  ---------                   -----------------  --------------  -----
  nodes                       []                 []              [*]
  persistentvolumes           []                 []              [*]
  endpoints                   []                 []              [create get list watch update]
  serviceaccounts             []                 []              [create get]
  events                      []                 []              [create patch update]
  serviceaccounts/token       []                 []              [create]
  leases.coordination.k8s.io  []                 []              [get create update]
  configmaps                  []                 []              [get list watch]
  secrets                     []                 []              [list get watch]
  services                    []                 []              [list patch update watch]
  nodes/status                []                 []              [patch]
  services/status             []                 []              [patch]

It seems like it's assigned too:

kubectl get clusterrolebinding|grep openstack
system:openstack-cloud-controller-manager              ClusterRole/system:openstack-cloud-controller-manager                              8h

@till
Copy link
Contributor

till commented Oct 18, 2023

I deleted the cloud-controller-manager service account as I couldn't figure out where it came from.

It seems like the helm chart creates openstack-cloud-controller-manager, but the pod creates cloud-controller-manager. And that SA is used to patch the object, but the SA does not have the ClusterRoleBinding assigned.

@till till mentioned this issue Oct 18, 2023
Closed
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Oct 20, 2023
@wwentland
Use standard service account name in OCCM helm chart (kubernetes#2332)
12c4c3e 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
@jacksgt
Copy link
Contributor

jacksgt commented Oct 20, 2023

Hi @till ,

I'm also no expert on this, but I think the flag is simply named very confusingly.
The behavior that I have observed is this:

  • --use-service-account-credentials=true => uses the cloud-controller-manager serviceaccount in the kube-system namespace (I believe these credentials are forwarded through the Kubernetes API calls made to the CCM?)
  • --use-service-account-credentials=false => uses the local credentials ($KUBECONFIG) or in the case of running inside kubernetes it uses the credentials of the spec.serviceAccountName (the serviceaccount token must be mounted into the pod)

I hope this helps.

@till
Copy link
Contributor

till commented Oct 20, 2023

@jacksgt cheers, and thanks for responding.

I think something with RBAC is broken but I created another ticket and there's already a PR to pick commits for a new release.

wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Oct 21, 2023
@wwentland
Use standard service account name in OCCM helm chart (kubernetes#2332)
9286021 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
wwentland added a commit to wwentland/cloud-provider-openstack that referenced this issue Oct 21, 2023
@wwentland
Use standard service account name in OCCM helm chart (kubernetes#2332)
9c7a0ec 
This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- kubernetes#2049
- kubernetes#1722
- kubernetes#1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
k8s-ci-robot pushed a commit that referenced this issue Oct 26, 2023
@wwentland
[release-1.26] [occm] Use standard service account name in OCCM helm …
c71f064 
…chart (#2449)

* Use standard service account name in OCCM helm chart (#2332)

This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- #2049
- #1722
- #1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>

* Remove spurious whitespace in OCCM values file (#2347)

The space character was sadly introduced in an earlier PR and had not
been picked up by the helm linter, presumably because the GHA did
not run.

Signed-off-by: Wolodja Wentland <w@wentland.dev>

---------

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
Signed-off-by: Wolodja Wentland <w@wentland.dev>
k8s-ci-robot pushed a commit that referenced this issue Oct 26, 2023
@wwentland
[release-1.27] [occm] Use standard service account name in OCCM helm …
79c0a29 
…chart (#2448)

* Use standard service account name in OCCM helm chart (#2332)

This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- #2049
- #1722
- #1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>

* Remove spurious whitespace in OCCM values file (#2347)

The space character was sadly introduced in an earlier PR and had not
been picked up by the helm linter, presumably because the GHA did
not run.

Signed-off-by: Wolodja Wentland <w@wentland.dev>

---------

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
Signed-off-by: Wolodja Wentland <w@wentland.dev>
k8s-ci-robot pushed a commit that referenced this issue Oct 26, 2023
@wwentland
[release-1.28] [occm] Use standard service account name in OCCM helm …
b447f67 
…chart (#2447)

* Use standard service account name in OCCM helm chart (#2332)

This removes the `openstack-` prefix from the service account name
used by the cloud-controller-manager and moves the default values into
the values file.

The change is motivated by the following:

- Create suitable service accounts, cluster roles and cluster role
  bindings for use with `--use-service-accounts-credentials=true`
- Normalise service account names in the helm chart and plain
  manifests
- Adhere to naming conventions across external cloud controller
  managers for different clouds (e.g. AWS, GCP, ...)

Specifically the first point deserves further details. Prior to this
change, users who install the cloud controller manager with helm,
would run into the following error when creating load balancers:

```
E0818 08:27:33.802407      11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"
```

Which is due to the fact that the controller is running with the
`cloud-controller-manager` service account because
`--use-service-account-credentials` is set to `true` by default and
the client is initialised with:

```
clientset := clientBuilder.ClientOrDie("cloud-controller-manager")
```

Whilst users can work around this by passing
`--use-service-account-credentials=false`, the desired behaviour would
be to install suitable RBAC in the first place.

See:

- https://kubernetes.io/docs/concepts/architecture/cloud-controller/
- https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
- #2049
- #1722
- #1755

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>

* Remove spurious whitespace in OCCM values file (#2347)

The space character was sadly introduced in an earlier PR and had not
been picked up by the helm linter, presumably because the GHA did
not run.

Signed-off-by: Wolodja Wentland <w@wentland.dev>

---------

Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
Signed-off-by: Wolodja Wentland <w@wentland.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[occm] Fix the service account name
5 participants
@till @mkjpryor @lingxiankong @jacksgt @jichenjc