-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to create load balancer: User "system:kube-controller-manager" cannot create configmaps in the namespace "kube-system". #425
Comments
I too stumbled upon the exact same issue. |
/cc @kubernetes/sig-cluster-lifecycle-bugs |
Here is the log on why servicecontroller is failing to create 'LoadBalancer' type service in kubeadm based cluster
|
We should loop in sig-auth on this as the problem is missing RBAC bindings. I guess that this might be GCE-specific, and hence not present in the general RBAC rules
Can you link to the code in the gce servicecontroller that tries to modify configmaps please?
… On 09 Sep 2017, at 21:09, shashidharatd ***@***.***> wrote:
Here is the log on why servicecontroller is failing to create 'LoadBalancer' type service in kubeadm based cluster
{"log":"E0909 17:54:54.712198 1 servicecontroller.go:753] Failed to process service. Retrying in 2m40s: Failed to create load balancer for service federation-system/e2e-federation-apise
rver: User \"system:kube-controller-manager\" cannot create configmaps in the namespace \"kube-system\". (post configmaps)\n","stream":"stderr","time":"2017-09-09T17:54:54.712261219Z"}
{"log":"E0909 17:57:34.716929 1 servicecontroller.go:753] Failed to process service. Retrying in 5m0s: Failed to create load balancer for service federation-system/e2e-federation-apiser
ver: User \"system:kube-controller-manager\" cannot create configmaps in the namespace \"kube-system\". (post configmaps)\n","stream":"stderr","time":"2017-09-09T17:57:34.717073975Z"}
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I digged into the code and found that the error is coming from |
@MrHohn, This issue is related to |
I think it's just ok to do a post-apply of these rules if you use GCE. With out-of-tree cloud providers, this will be in the same manifest anyway... |
Seems we introduced new operations (for configmap) in gce controller but never handled its RBAC... Link: {
// a role to use for bootstrapping the kube-controller-manager so it can create the shared informers
// service accounts, and secrets that we need to create separate identities for other controllers
ObjectMeta: metav1.ObjectMeta{Name: "system:kube-controller-manager"},
Rules: []rbac.PolicyRule{
eventsRule(),
rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
// Needed to check API access. These creates are non-mutating
rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
// Needed for all shared informers
rbac.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
},
}, |
Hmm. The policy was added here https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go#L88-L94 and the client should be made with |
/kind bug |
…tion Automatic merge from submit-queue (batch tested with PRs 52376, 52439, 52382, 52358, 52372) Pass correct clientbuilder to cloudproviders Fixes kubernetes/kubeadm#425 by moving the Initialize call to after the start of the token controller and passing `clientBuilder` instead of `rootClientBuilder` to the cloudproviders. /assign @bowei **Release note**: ```release-note NONE ``` Should fix in 1.8 and cherrypick to 1.7
…376-upstream-release-1.7 Automatic merge from submit-queue Automated cherry pick of #52376 Cherry pick of #52376 on release-1.7. #52376: Move cloudprovider initialization to after token controller **Release note**: ```release-note GCE: Fixes known [issue](kubernetes/kubeadm#425) for creating services with RBAC and bootstrap token auth ```
Is this a BUG REPORT or FEATURE REQUEST?
BUG REPORT
Versions
kubeadm version 1.7.5
Environment:
What happened?
kubectl describe svc
shows:What you expected to happen?
Load balancer gets created successfully.
How to reproduce it (as minimally and precisely as possible)?
See above
Anything else we need to know?
This seems to be caused to missing RBAC roles/bindings. As a workaround, applying the following and recreating the service makes it work:
The text was updated successfully, but these errors were encountered: