Closed qiliRedHat closed 2 years ago
Found this difference, but not sure if this is related. Server Version: 4.11.0-0.nightly-2022-06-04-014713 Kubernetes Version: v1.24.0+bb9c2f1
% oc get ns dittybopper --show-labels
NAME STATUS AGE LABELS
dittybopper Active 5m17s kubernetes.io/metadata.name=dittybopper,pod-security.kubernetes.io/audit-version=v1.24,pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/warn-version=v1.24,pod-security.kubernetes.io/warn=restricted
Server Version: 4.10.0 Kubernetes Version: v1.23.3+e419edf
% oc get ns dittybopper --show-labels
NAME STATUS AGE LABELS
dittybopper Active 4d12h kubernetes.io/metadata.name=dittybopper
I manually deleted the extra labels of dittybopper on 4.11 cluster, or updated "restricted" to "privileged", later they were overwritten by the origin values again. Same after I directly edited the ns's yaml.
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/sa.scc.mcs: s0:c26,c5
openshift.io/sa.scc.supplemental-groups: 1000660000/10000
openshift.io/sa.scc.uid-range: 1000660000/10000
creationTimestamp: "2022-06-07T01:45:19Z"
labels:
kubernetes.io/metadata.name: dittybopper
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.24
name: dittybopper
resourceVersion: "421958"
uid: 0e7bbab7-f543-4cfe-9712-a02e85cc7c6c
spec:
finalizers:
- kubernetes
status:
phase: Active
Ok, I got this diffence: Server Version: 4.11.0-0.nightly-2022-06-04-014713 Kubernetes Version: v1.24.0+bb9c2f1
% oc sa get-token prometheus-k8s -n openshift-monitoring
Command "get-token" is deprecated, and will be removed in the future version. Use oc create token instead.
error: could not find a service account token for service account "prometheus-k8s"
Server Version: 4.10.0 Kubernetes Version: v1.23.3+e419edf
% oc sa get-token prometheus-k8s -n openshift-monitoring
Command "get-token" is deprecated, and will be removed in the future version. Use oc create token instead.
eyJhbGciOiJSUzI1NiIsImtpZCI6ImNvZ2JIUTZ....
Got a workaround by replacing this line in deploy.sh
#export PROMETHEUS_BEARER=$($k8s_cmd sa get-token prometheus-k8s -n openshift-monitoring)
export PROMETHEUS_BEARER=$(oc create token prometheus-k8s -n openshift-monitoring --duration 240h)
Hi @qiliRedHat, we recently hit a similar but in some of our tools after k8s 1.24 rebase, the problem with the command create token
is that is not available in "old" oc clients and it's not backwards compatible.
The following expression works fine and is backwards compatible
export PROMETHEUS_BEARER=$(oc sa get-token -n openshift-monitoring prometheus-k8s || oc sa new-token -n openshift-monitoring prometheus-k8s)
dittybopper deploy was successfully, but dashboards had no data and were "Forbidden".
Deploy was successful
Resources were running well
But dashboard graphs had no data and were "Forbidden"
Directly curling got 403 Forbidden too