search

Shopify / krane

A command-line tool that helps you ship changes to a Kubernetes namespace and understand the result
MIT License
1.38k stars 114 forks source link

forbidden: User "$SERVICE_ACCOUNT" cannot get path "/" #804

Open joshuasimon-taulia opened 3 years ago

joshuasimon-taulia commented 3 years ago

Bug report

starting in krane 2.1.6, my k8s sa is hitting permissions issues. krane deploy works fine in 2.1.5

Expected behavior:

[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]   ------------------------------------------Result: SUCCESS-------------------------------------------
[INFO][2021-02-12 01:56:07 +0000]   Successfully deployed 11 resources
[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]   Successful resources

Actual behavior:

[WARN][2021-02-12 03:09:44 +0000]   The following command failed (attempt 5/5): kubectl get --raw / --context\=staging --request-timeout\=1
[WARN][2021-02-12 03:09:44 +0000]   Error from server (Forbidden): forbidden: User "system:serviceaccount:staging:deployer" cannot get path "/"

[INFO][2021-02-12 03:09:44 +0000]
[INFO][2021-02-12 03:09:44 +0000]   ------------------------------------------Result: FAILURE-------------------------------------------
[FATAL][2021-02-12 03:09:44 +0000]  Error retrieving raw path /: error from server (forbidden): forbidden: user "system:serviceaccount:staging:deployer" cannot get path "/"
[FATAL][2021-02-12 03:09:44 +0000]

Version(s) affected: 2.1.6

Steps to Reproduce

  1. krane deploy staging staging --no-prune -f output/my-charttemplates/

This is RBAC for my k8s SA

kind: ClusterRole # limited to namespace by using 'RoleBinding'
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer
rules:
  - apiGroups:
      - "*"
    resources:
      - configmaps
      - clusterrolebindings
      - clusterroles
      - customresourcedefinitions
      - deployments
      - events
      - horizontalpodautoscalers
      - ingresses
      - jobs
      - persistentvolumeclaims
      - persistentvolumes
      - pods
      - pods/log
      - replicasets
      - rolebindings
      - roles
      - secrets
      - serviceaccounts
      - services
      - statefulsets
    verbs:
      - create
      - get
      - list
      - patch
      - watch
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer-all-ns
rules:
  - apiGroups:
      - "*"
    resources:
      - namespaces
      - customresourcedefinitions
    verbs:
      - get
      - list

I have also tried giving the k8s SA

rules:
- nonResourceURLs:
  - /
  verbs:
  - get

Feature request

Proposal: Document the addional RBAC required by krane 2.1.6

dturn commented 3 years ago

I definitely think this is worth documenting. We've held off on a list of RBAC resources because krane will deploy/prune anything you give it so there isn't really isn't a list of short of * that would work for everyone.

Would you be willing to PR something to our docs?

bazzargh commented 3 years ago

We just hit this issue too, with a user updating to 2.1.7. Maybe worth mentioning our finds on the way here, that k8s rejected adding this permisssion to the standard discovery role https://github.com/kubernetes/kubernetes/issues/45366 (we weren't sure if krane now targeted a newer k8s than we use, 1.16), and that the need for this to be documented was also mentioned in https://github.com/Shopify/krane/pull/778#issuecomment-778328751 (mentioning this to link the issues)

sstein-maestro commented 1 month ago

Not sure if this issue is still active here, but I'm currently encountering the same error using krane 3.4.0 deploying to AWS EKS with a service account: Error from server (Forbidden): forbidden: User "circleci.com" cannot get path "/"

Would anyone be able to clarify which permission needs to be added to the AWS user or role to resolve the issue? Thanks in advance.