jpraet
commented
1 year ago This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1?
Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:238)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:546)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:424)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:392)
at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:93)
at be.fgov.kszbcss.batch.client.OpenShiftJobClient.listJobTemplates(OpenShiftJobClient.java:61)
at be.fgov.kszbcss.batch.cli.ListJobCommand.call(ListJobCommand.java:11)
at be.fgov.kszbcss.batch.cli.ListJobCommand.main(ListJobCommand.java:27)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:701)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:681)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:630)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:591)
at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.http.StandardHttpClient.lambda$completeOrCancel$5(StandardHttpClient.java:120)
at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.http.ByteArrayBodyHandler.onBodyDone(ByteArrayBodyHandler.java:52)
at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
at io.fabric8.kubernetes.client.okhttp.OkHttpClientImpl$OkHttpAsyncBody.doConsume(OkHttpClientImpl.java:135)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Is your task related to a problem? Please describe
Originally posted by @shawkins in an internal conversation:
OpenShiftOAuthInterceptor seems to proceed with token refresh on either getting
401(UNAUTHORIZED) or403(FORBIDDEN) response codes:https://github.com/fabric8io/kubernetes-client/blob/ddfab72d81b1be3292f8447f0867d566f6a1f55b/openshift-client/src/main/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.java#L198
However, there is no mention of handing
403in RFC 6749.In kubectl source I only see 401 being handled for refresh.
In oc source, I'm not able to see 403 referenced either.
Describe the solution you'd like
OpenShiftOAuthInterceptor should only refresh when
401status code is encountered.Describe alternatives you've considered
No response
Additional context
No response