sdk-server needs patch rbac on events

[markmandel]

What happened:

Keep seeing variation on this log in the agones-gameserver-sidecar

{
    "textPayload": "Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:\"\", APIVersion:\"\"}, ObjectMeta:v1.ObjectMeta{Name:\"udp-servernvks2.15ee77046052eb2c\", GenerateName:\"\", Namespace:\"default\", SelfLink:\"\", UID:\"\", ResourceVersion:\"6195024\", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:\"\"}, InvolvedObject:v1.ObjectReference{Kind:\"GameServer\", Namespace:\"default\", Name:\"udp-servernvks2\", UID:\"c4d68725-42d9-11ea-9fde-42010a8a0058\", APIVersion:\"agones.dev/v1\", ResourceVersion:\"35457583\", FieldPath:\"\"}, Reason:\"RequestReady\", Message:\"SDK state change\", Source:v1.EventSource{Component:\"gameserver-sidecar\", Host:\"\"}, FirstTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:63715928179, loc:(*time.Location)(0x1ec5620)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbf849a471c7c8746, ext:42946745273, loc:(*time.Location)(0x1ec5620)}}, Count:2, Type:\"Normal\", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:\"\", Related:(*v1.ObjectReference)(nil), ReportingController:\"\", ReportingInstance:\"\"}': 'events \"udp-servernvks2.15ee77046052eb2c\" is forbidden: User \"system:serviceaccount:default:agones-sdk\" cannot patch resource \"events\" in API group \"\" in the namespace \"default\"' (will not retry!)",
    "insertId": "1qfl46eg70g1bss",
    "resource": {
        "type": "container",
        "labels": {
            "cluster_name": "e2e-test-cluster",
            "container_name": "agones-gameserver-sidecar",
            "namespace_id": "default",
            "instance_id": "2422200727803664782",
            "zone": "us-west1-c",
            "pod_id": "udp-servernvks2",
            "project_id": "agones-images"
        }
    },
    "timestamp": "2020-01-29T20:57:00.499668Z",
    "severity": "ERROR",
    "labels": {
        "container.googleapis.com/stream": "stderr",
        "container.googleapis.com/pod_name": "udp-servernvks2",
        "container.googleapis.com/namespace_name": "default",
        "compute.googleapis.com/resource_name": "gke-e2e-test-cluster-default-baa60eee-3xd5"
    },
    "logName": "projects/agones-images/logs/agones-gameserver-sidecar",
    "receiveTimestamp": "2020-01-29T20:57:05.160658763Z"
}

What you expected to happen: To not see this log

How to reproduce it (as minimally and precisely as possible): Run a GameServer to Ready state.

Anything else we need to know?: Nope.

Environment:

• Agones version: dev
• Kubernetes version (use kubectl version): 1.3.0
• Cloud provider or hardware configuration: GKE
• Install method (yaml/helm): helm
• Troubleshooting guide log(s): see above
• Others: N./A

[suecideTech]

@markmandel This bug can be reproduced by following the steps below.

1. Create GameServer and set STATE to READY.
2. Execute sdk.Ready() for READY GameServer by any method. (I sent a "READY" UDP packet to GameServer "examples/simple-udp".)

This is because serviceaccount "agones-sdk" does not have "patch" authority for resources "events".

install.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: agones-sdk
  namespace: agones-system
...
rules:
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]  <-- need "patch".

Also, sidecar creates a patch for an existing event.

Content to be fixed Grant "patch" authority to resource "events" to serviceaccount "agones-sdk". If there is no problem, send PR.

[markmandel]

You will need to add this in the appropriate install/helm file, and then run make gen-install to generate the install.yaml - but yes -- please add this as a PR!