Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbidden!Configured service account doesn't have access. Service account may have been revoked. daemonsets.apps is forbidden #140

Closed
mkysel opened this issue Aug 28, 2020 · 4 comments · Fixed by #141, #133 or #150
Closed

Forbidden!Configured service account doesn't have access. Service account may have been revoked. daemonsets.apps is forbidden #140

mkysel opened this issue Aug 28, 2020 · 4 comments · Fixed by #141, #133 or #150
Assignees
@mkysel
Labels
bug Something isn't working known-issue

Comments

@mkysel
Copy link
Contributor

mkysel commented Aug 28, 2020
edited

NuoDB version: 4.0.7
NuoDB Helm charts: 2.4.0

Failure Description: NuoDB admin KAA module does not start

Log:

2020-08-27T14:48:33.553+0000 WARN  io.fabric8.kubernetes.client.informers.cache.Controller informer-controller-DaemonSet Reflector list-watching job exiting because the thread-pool is shutting down
java.util.concurrent.RejectedExecutionException: Error while starting ReflectorRunnable watch
        at io.fabric8.kubernetes.client.informers.cache.Reflector.listAndWatch(Reflector.java:85)
        at io.fabric8.kubernetes.client.informers.cache.Controller.run(Controller.java:112)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.util.concurrent.RejectedExecutionException: Error while doing ReflectorRunnable list
        at io.fabric8.kubernetes.client.informers.cache.Reflector.getList(Reflector.java:73)
        at io.fabric8.kubernetes.client.informers.cache.Reflector.reListAndSync(Reflector.java:94)
        at io.fabric8.kubernetes.client.informers.cache.Reflector.listAndWatch(Reflector.java:80)
        ... 2 common frames omitted
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/apis/apps/v1/namespaces/testadminscaledown-riqkzt/daemonsets. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. daemonsets.apps is forbidden: User "system:serviceaccount:testadminscaledown-riqkzt:nuodb" cannot list resource "daemonsets" in API group "apps" in the namespace "testadminscaledown-riqkzt".
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:166)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:640)
        at io.fabric8.kubernetes.client.informers.SharedInformerFactory$1.list(SharedInformerFactory.java:161)
        at io.fabric8.kubernetes.client.informers.SharedInformerFactory$1.list(SharedInformerFactory.java:154)
        at io.fabric8.kubernetes.client.informers.cache.Reflector.getList(Reflector.java:67)
        ... 4 common frames omitted
@mkysel mkysel added the bug Something isn't working label Aug 28, 2020
@butson
Copy link
Contributor

butson commented Aug 28, 2020

nuodb.addRoleBinding = false for some reason. It should always be true, check to see if the role got create.

@mkysel
Copy link
Contributor Author

mkysel commented Aug 28, 2020

2.4.0 does not have DaemonSets in the list of permissions. It was added in 3.0.0.

@mkysel mkysel linked a pull request Aug 28, 2020 that will close this issue
Added DaemonSets to list of NuoDB Kubernetes Aware Admin permissions #141
Merged
@mkysel
Copy link
Contributor Author

mkysel commented Aug 28, 2020

To work around the issue, one can use the newer Role from 3.0.0 or 2.4.1.

curl -s https://raw.githubusercontent.com/nuodb/nuodb-helm-charts/e1b9290fbd69562ff8ec3a975e94919a3dcfa74c/stable/admin/templates/role.yaml | egrep -v "^[{]{2}.*[}]{2}$" | kubectl apply -f -

@mkysel mkysel self-assigned this Aug 28, 2020
@mkysel mkysel linked a pull request Aug 28, 2020 that will close this issue
Replaced Transaction Engine (TE) Load Balancer job (lbConfig) with Load Balancer Specification via Kubernetes object annotations (depends on NuoDB Kubernetes Aware Admin) #133
Merged
@mkysel mkysel mentioned this issue Aug 28, 2020
Merged
@mkysel mkysel mentioned this issue Aug 28, 2020
Merged
mkysel pushed a commit that referenced this issue Aug 30, 2020
Bump NuoDB version to 4.0.7 (#144)
babc715 
Besides changing the default version of NuoDB in the charts, this PR contains two upgrade workarounds for issues:
#140
#143
mkysel pushed a commit that referenced this issue Aug 30, 2020
Bump NuoDB version to 4.0.7 [2.4-dev branch] (#145)
69160e1 
Besides changing the default version of NuoDB in the charts, this PR contains two upgrade workarounds for issues:
#140
#143
@mkysel
Copy link
Contributor Author

mkysel commented Aug 30, 2020

resolved

@mkysel mkysel closed this as completed Aug 30, 2020
@sivanov-nuodb sivanov-nuodb mentioned this issue Sep 8, 2020
Merged
@mkysel mkysel linked a pull request Sep 8, 2020 that will close this issue
Start Kubernetes Aware Admin module with limited permissions #150
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkysel mkysel

Labels
bug Something isn't working known-issue
Projects
None yet
Milestone
No milestone
2 participants
@butson @mkysel