search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
359 stars 195 forks source link

Access Denied when configuring pools #691

Closed joshbenner closed 6 years ago

joshbenner commented 6 years ago

Description

What I did:

What happened: k8s-bigip-ctlr attempts and fails to configure the BIG-IP with Access Denied error.

I have confirmed that the user can create pools by using iControl REST API via f5-sdk with this user to create a pool in the above partition.

Kubernetes Version

v1.8.4+coreos.0

Controller Version

1.5.1

BIG-IP Version

12.1.3

Diagnostic Information

k8s-bigip-ctlr log:

k8s-bigip-ctlr 2018/05/10 15:14:59 [INFO] [2018-05-10 15:14:59,068 f5_cccl.resource.resource INFO] Creating ApiPool: /kube01.lab/ingress_default_testapp-testapp
k8s-bigip-ctlr 2018/05/10 15:14:59 [ERROR] [2018-05-10 15:14:59,130 f5_cccl.resource.resource ERROR] HTTP error(400): CCCL resource(ApiPool) /kube01.lab/ingress_default_testapp-testapp.
k8s-bigip-ctlr 2018/05/10 15:14:59 [ERROR] [2018-05-10 15:14:59,131 f5_cccl.service.manager ERROR] F5CcclResourceRequestError - 400 Unexpected Error: Bad Request for uri: https://xxx.xxx.xxx.xxx:443/mgmt/tm/ltm/pool/
k8s-bigip-ctlr 2018/05/10 15:14:59 [INFO] Text: u'{"code":400,"message":"01070822:3: Access Denied: user (kube01.lab) does not have create access to object (pool_metadata)","errorStack":[],"apiError":3}'
joshbenner commented 6 years ago

I can reproduce this error using f5-sdk when I try to set pool metadata. Is there an additional configuration required so that Manager role can set metadata?

russokj commented 6 years ago

The manager role is not allowed to set metadata. I believe you must use the Resource Administrator or Administrator role to do this. I believe the guidance for all our controllers is that the user account must have the admin role.

joshbenner commented 6 years ago

@russokj Documentation suggested Manager should work for Nodeport mode. Updates may be needed there.

russokj commented 6 years ago

Okay. I'll open up an issue for the docs. The last release added a feature to add the controller name and version to the metadata field which required us to remove the support of the Manager role across all controllers.