-
Notifications
You must be signed in to change notification settings - Fork 949
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In Openshift, endpoints is forbidden #1702
Comments
For openshift you have to use configmaps instead of endpoints. |
@Samusername have a look at the RBAC template of the helm chart to understand how the cluster role should look like |
Yes, I have used the same ClusterRole definitions (and the whole helm chart) from there, in the mentioned latest test. (I did not bind it, if it does not get bound automatically in the installation of the helm chart.) |
I am trying to avoid "ConfigMap configuration": So, following was kept in comments, in values.yaml: # kubernetes_use_configmaps: ... With configTarget: "OperatorConfigurationCRD",
We may manage to get enough permissions, in a certain namespace, to get such executed in Openshift.
|
As this is this the first result for searching "endpoint address is not allowed", I will add one other possible solution that may help people dealing with same issue on other operators such as k8ssandra-operator: You need to modify Role/Clusterrole and use resource "endpoints/restricted" instead of "endpoints", like this:
This quirk is only documented in legacy Openshift 3.X documentation here: Verified to work on Openshift 4.11 |
Hi!
I tested with older versions of postgres-operator and spilo,
and also with latest published versions:
https://github.com/zalando/postgres-operator/releases/tag/v1.7.1
and --> registry.opensource.zalan.do/acid/spilo-14:2.1-p3
Following kinds of errors are shown in logs of acid-upgrade-test-0 pod:
patroni.dcs.kubernetes.K8sClient.rest.ApiException: (403)
Reason: Forbidden
endpoints "acid-upgrade-test" is forbidden: endpoint address ... is not allowed",
"reason":"Forbidden","details":{"name":\"acid-upgrade-test\","kind":"endpoints"},"code":403}
...
2021-11-23 14:40:39,183 ERROR: failed to update leader lock
2021-11-23 14:40:39,184 INFO: not promoting because failed to update leader lock in DCS
I have seen e.g. following discussion chain:
#985
I tried to compare and add any permissions which were mentioned there.
Same error happened still.
What kinds of permissions should be given? In ClusterRole?
Btw., is config map needed to be enabled separately nowadays in these installations to Openshift? I did not set it anywhere.
Files:
I used following minimal manifest yaml:
Click to expand!
minimal manifest yaml
I will need to make one scratch installation test again from a "clean table".
The text was updated successfully, but these errors were encountered: