search

datashim-io / datashim

A kubernetes based framework for hassle free handling of datasets
http://datashim-io.github.io/datashim
Apache License 2.0
481 stars 68 forks source link

RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

Open aavarghese opened 8 months ago

aavarghese commented 8 months ago

Error below seen in pod csi-attacher-nfsplugin-0 when creating an NFS Dataset.

I0306 20:50:18.008574       1 round_trippers.go:435] curl -v -XPATCH  -H "Content-Type: application/merge-patch+json" -H "User-Agent: csi-attacher/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Accept: application/json, */*" -H "Authorization: Bearer <masked>" 'https://10.96.0.1:443/apis/storage.k8s.io/v1/volumeattachments/csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c/status'
I0306 20:50:18.010396       1 round_trippers.go:454] PATCH https://10.96.0.1:443/apis/storage.k8s.io/v1/volumeattachments/csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c/status 403 Forbidden in 1 milliseconds
I0306 20:50:18.010468       1 request.go:1181] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"volumeattachments.storage.k8s.io \"csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c\" is forbidden: User \"system:serviceaccount:jaas-system-avarghese:csi-attacher-nfs\" cannot patch resource \"volumeattachments/status\" in API group \"storage.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"name":"csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c","group":"storage.k8s.io","kind":"volumeattachments"},"code":403}
W0306 20:50:18.010555       1 trivial_handler.go:57] Error saving VolumeAttachment csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c as attached: volumeattachments.storage.k8s.io "csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c" is forbidden: User "system:serviceaccount:jaas-system-avarghese:csi-attacher-nfs" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope

Fix: Needs resource "volumeattachments/status" added to https://github.com/datashim-io/datashim/blob/c5f0a2dab90a625f37cad8068b6c04b22e9beac3/src/csi-driver-nfs/chart/templates/csi-attacher-rbac.yaml#L26-L28

/cc @srikumar003 @starpit

srikumar003 commented 8 months ago

Thanks @aavarghese! We'll have a PR to address it