"Insufficient permissions to access MicroK8s"

[barrettj12]

The following workflow is failing:

name: "Test MicroK8s"
on: [push, pull_request, workflow_dispatch]
jobs:
  microk8s:
    runs-on: ubuntu-latest
    steps:

    - name: Set up MicroK8s
      uses: balchua/microk8s-actions@v0.3.1
      with:
        channel: "1.25-strict/stable"
        addons: '["dns", "hostpath-storage"]'

    - name: Test MicroK8s
      run: |
        microk8s status

The second step fails with

Insufficient permissions to access MicroK8s.
You can either try again with sudo or add the user runner to the 'snap_microk8s' group:
    sudo usermod -a -G snap_microk8s runner
    sudo chown -R runner ~/.kube
After this, reload the user groups either via a reboot or by running 'newgrp snap_microk8s'.

This action should set up the user permissions correctly so that the $USER can access MicroK8s. Currently I can't do anything with MicroK8s. See logs here.

[balchua]

Thanks for this. The issue here is that even if the user is created, there is no way to open a new session to reflect the newly minted membership, atleast i couldn't find a way.

In order to use the microk8s command, one need to use the sudo or sg.

[barrettj12]

The following seems to work for me (after setting up microk8s):

sudo usermod -a -G snap_microk8s $USER
sudo chown -R $USER ~/.kube || true # this might fail if the ~/.kube file doesn't exist
newgrp snap_microk8s

[barrettj12]

Ok, newgrp seems to work when I do it in an SSH session, but not when I put it as a step inside the workflow. Might be a bug with the GitHub runners.

[barrettj12]

Ok, I see the issue. newgrp creates a new subshell with the specified groups. So it works in interactive shells, but not in automated scripts.

~Maybe we could define microk8s as an alias for sg snap_microk8s 'microk8s ...' ?~ This won't work, because other commands that want to use microk8s won't be able to access the alias.

[balchua]

Thanks @barrettj12 , so far i see using sudo is the only way to make it work.

[barrettj12]

Yep, and feedback from the microk8s team is that you can't change the microk8s group to e.g. adm.

I've opened a community discussion here on the newgrp issue, let's see if anyone gives us a potential solution.

[barrettj12]

@balchua I wonder if this will work?

[balchua]

Thanks @barrettj12 i can definitely give this a try.

[balchua]

Thanks @barrettj12 i tried the link provided. So far the method works on classic mode.

Unfortunately, it fails installing microk8s with strict mode with this error.

error: cannot perform the following tasks:
- Mount snap "microk8s" (4249) (cannot ensure users for snap "microk8s" required system username "snap_microk8s": cannot add user/group "snap_microk8s": group exists and user does not)