search

jetstack / kube-lego

DEPRECATED: Automatically request certificates for Kubernetes Ingress resources from Let's Encrypt
Apache License 2.0
2.16k stars 267 forks source link

Does not seem to work on k8s 1.8.8-gke.0 #334

Closed chrissound closed 6 years ago

chrissound commented 6 years ago

Similar issue posted here: https://github.com/jetstack/kube-lego/issues/290

E0516 21:17:29.835410       1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:191: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope: Unknown user "system:serviceaccount:kube-lego:default"
E0516 21:17:30.837592       1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:191: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-lego:default" cannot list ingresses.extensions at the cluster scope: Unknown user "system:serviceaccount:kube-lego:default"

I'm seeing the following event, and pod is not being started:

kube-lego   2m         8h          49        kube-lego-7c66c7fddf   ReplicaSet               Warning   FailedCreate   replicaset-controller     Error creating: pods "kube-lego-7c66c7fddf-" is forbidden: service account kube-lego/kube-lego2-kube-lego was not found, retry after the service account is created

Even though it's all there:

kubectl get clusterrolebindings,serviceaccounts,clusterroles | grep lego
clusterrolebindings/kube-lego2-kube-lego                           ClusterRoleBinding.v1.rbac.authorization.k8s.io

sa/kube-lego2-kube-lego   1         21h

clusterroles/kube-lego2-kube-lego                                                   ClusterRole.v1.rbac.authorization.k8s.io

Not sure if it's the due to the kube-lego/ prefix?

chrissound commented 6 years ago

I've pulled the latest code from the examples and I'm not running into the following error:

E0517 10:12:43.647494       1 reflector.go:201] github.com/jetstack/kube-lego/pkg/kubelego/watch.go:191: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-lego:kube-lego" cannot list ingresses.extensions at the cluster scope: clusterrole.rbac.authorization.k8s.io "kube-lego" not found
Unknown user "system:serviceaccount:kube-lego:kube-lego"
chrissound commented 6 years ago

It was due to the cluster role failing to be created:

Error from server (Forbidden): error when creating "lego/cluster-role.yaml": clusterroles.rbac.authorization.k8s.io "kube-lego" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["patch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["update"]}] user=&{master@gcpwp-ayurved-subs-staging.iam.gserviceaccount.com  [system:authenticated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
bassrock commented 6 years ago

@chrissound I am having the same issue. How did you get it to create?

chrissound commented 6 years ago

Follow the latest install instructions as they have changed.

dwjohnston commented 5 years ago

So what's the solution here? Where are the latest install instructions?

dwjohnston commented 5 years ago

Ok, if anyone is coming here from googling the error in the first post, I just manually set the RBAC resources as outlined in the example here:

https://github.com/jetstack/kube-lego/tree/master/examples/nginx