search

kubernetes / minikube

Run Kubernetes locally
https://minikube.sigs.k8s.io/
Apache License 2.0
29.5k stars 4.89k forks source link

ingress not working on Crio #19357

Closed medyagh closed 2 months ago

medyagh commented 3 months ago

https://storage.googleapis.com/minikube-builds/logs/19312/35557/Docker_Linux_crio.html#fail_TestAddons%2fparallel%2fIngress

I replicated on macos docker driver with crio

I noticed the Kindnet had these errros:

W0731 17:51:36.639523       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope
E0731 17:51:36.639730       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope
W0731 17:51:36.710629       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope
E0731 17:51:36.710817       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope

I was able to Fix the issue by giving permission to kindnet clusterrole and no olonger gives the error 

apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kindnet
rules:
  - apiGroups:
    - policy
    resources:
    - podsecuritypolicies
    verbs:
    - use
    resourceNames: 
    - kindnet
  - apiGroups:
      - ""
    resources:
      - nodes
      - namespaces
      - pods
    verbs:
      - list
      - watch
      - patch
  - apiGroups:
     - ""
    resources:
      - configmaps
    verbs:
      - get
  - apiGroups:
      - extensions
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      -  networking.k8s.io
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch

but still cant make the svc ping on local host inside minikube

mk start -d docker -c crio -p c3
mk addons enable ingress
kc --context c3 apply -f test/integration/testdata/nginx-ingress-v1.yaml
kc --context c3 apply -f test/integration/testdata/nginx-pod-svc.yaml
mk ssh