search

ansible-collections / community.kubernetes

Kubernetes Collection for Ansible
https://galaxy.ansible.com/community/kubernetes
GNU General Public License v3.0
265 stars 106 forks source link

can_i checks still not working #426

Closed jmazzitelli closed 3 years ago

jmazzitelli commented 3 years ago
SUMMARY

I originally reported this last year here: https://github.com/ansible-collections/community.kubernetes/issues/234 Some work was done to address it - PR is here: https://github.com/ansible-collections/community.kubernetes/pull/237 However, I still do not see it work; I'm getting the same error as before.

ISSUE TYPE
COMPONENT NAME

k8s

CONFIGURATION
(no output from `ansible-config dump --only-changed`)
OS / ENVIRONMENT

RHEL 8

K8S ENVIRONMENT
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T16:31:21Z", GoVersion:"go1.16.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:50:46Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.21) and server (1.18) exceeds the supported minor version skew of +/-1
EXPECTED RESULTS

See the PR I linked above that shows what is now expected.

ACTUAL RESULTS

Same error as before.

STEPS TO REPRODUCE

I am going to show you the output of four commands I run - the first shows you my ansible version, the second shows you my collection versions from ansible-galaxy output, the third shows you the content of my test script with the replication ansible playbook, the fourth shows you the ansible run showing the error I get.

$ ansible --version
ansible 2.9.9
  config file = None
  configured module search path = ['/home/jmazzite/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jmazzite/source/ansible/lib/ansible
  executable location = /home/jmazzite/source/ansible/bin/ansible
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
$ ansible-galaxy collection install -vvv community.kubernetes
ansible-galaxy 2.9.9
  config file = None
  configured module search path = ['/home/jmazzite/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jmazzite/source/ansible/lib/ansible
  executable location = /home/jmazzite/source/ansible/bin/ansible-galaxy
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
No config file found; using defaults
Found installed collection operator_sdk.util:0.2.0 at '/home/jmazzite/.ansible/collections/ansible_collections/operator_sdk/util'
Found installed collection community.kubernetes:1.2.1 at '/home/jmazzite/.ansible/collections/ansible_collections/community/kubernetes'
Process install dependency map
Opened /home/jmazzite/.ansible/galaxy_token
Processing requirement collection 'community.kubernetes'
Collection 'community.kubernetes' obtained from server default https://galaxy.ansible.com/api/
Starting collection install process
Skipping 'community.kubernetes' as it is already installed
$ cat can-i.yaml 
- hosts: localhost
  gather_facts: no
  vars:
    ansible_python_interpreter: python3
  tasks:

  - name: can_i create clusterroles
    register: can_i_create_clusterroles
    ignore_errors: yes
    k8s:
      state: present
      definition:
        apiVersion: authorization.k8s.io/v1
        kind: SelfSubjectAccessReview
        spec:
          resourceAttributes:
            group: rbac.authorization.k8s.io/v1
            resource: clusterroles
            verb: create
  - debug:
      msg: "TEST={{ can_i_create_clusterroles }}"
$ ansible-playbook can-i.yaml 
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *********************************************************************************************************************

TASK [can_i create clusterroles] *****************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "error": 405, "msg": "Failed to retrieve requested object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"the server does not allow this method on the requested resource\",\"reason\":\"MethodNotAllowed\",\"details\":{},\"code\":405}\\n'", "reason": "Method Not Allowed", "status": 405}
...ignoring

TASK [debug] *************************************************************************************************************************
ok: [localhost] => {
    "msg": "TEST={'msg': 'Failed to retrieve requested object: b\\'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"the server does not allow this method on the requested resource\",\"reason\":\"MethodNotAllowed\",\"details\":{},\"code\":405}\\\\n\\'', 'error': 405, 'status': 405, 'reason': 'Method Not Allowed', 'failed': True, 'changed': False}"
}

PLAY RECAP ***************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=1

And, for the record, I can create cluster roles:

$ kubectl auth can-i create clusterroles --all-namespaces
yes
jmazzitelli commented 3 years ago

Seems you have to provide the fully scoped name of the k8s task to get this to work. When I made this change to my test playbook, it all worked:

...
    community.kubernetes.k8s:  <<--- USE THE FULL NAME HERE (not just "k8s")
      state: present
...

Closing this issue since this doesn't appear to be a bug in the collection.