search

kubesphere / ks-devops

This is a cloud-native application that focuses on the DevOps area.
https://kubesphere.io/devops/
Apache License 2.0
157 stars 89 forks source link

Image builder Source to Image: Publish an App without a Dockerfile #345

Open xiaokangshuai opened 2 years ago

xiaokangshuai commented 2 years ago

k8s version:1.20.10 Kubesphere version:3.1.1 harbor:2.0

image image

An error occurred after creating the submission

InternalError Internal error occurred: failed calling webhook “s2ibuilder.kb.io”: Post “https://webhook-server-service.kubesphere-devops-system.svc:443/mutate-devops-kubesphere-io-v1alpha1-s2ibuilder?timeout=30s”: dial tcp 10.102.136.136:443: connect: connection refused

pod错误信息Events: Type Reason Age From Message

Normal Scheduled 45s default-scheduler Successfully assigned devops/f-v1-548d6c6959-rkb6p to master1 Normal Pulling 45s kubelet Pulling image “common/speeder-mgr:latest” Warning Failed 9s kubelet Failed to pull image “common/speeder-mgr:latest”: rpc error: code = Unknown desc = Error response from daemon: pull access denied for common/speeder-mgr, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied Warning Failed 9s kubelet Error: ErrImagePull Normal BackOff 9s kubelet Back-off pulling image “common/speeder-mgr:latest” Warning Failed 9s kubelet Error: ImagePullBackOff

JohnNiang commented 2 years ago

/kind bug

JohnNiang commented 2 years ago

/remove-kind bug /kind support

Please confirm whether the image name common/speeder-mgr is correct or the namespace has sufficient permissions.

xiaokangshuai commented 2 years ago

The image name and namespace and permissions are correct

xiaokangshuai commented 2 years ago

s2ioperator container log E1111 10:00:53.591968 1 reflector.go:123] pkg/mod/k8s.io/client-go@v0.0.0-20190918160344-1fbdaa4c8d90/tools/cache/reflector.go:96: Failed to list v1alpha1.S2iRun: s2iruns.devops.kubesphere.io is forbidden: User "system:serviceaccount:kubesphere-devops-system:default" cannot list resource "s2iruns" in API group "devops.kubesphere.io" at the cluster scope E1111 10:00:53.592873 1 reflector.go:123] pkg/mod/k8s.io/client-go@v0.0.0-20190918160344-1fbdaa4c8d90/tools/cache/reflector.go:96: Failed to list v1alpha1.S2iBuilder: s2ibuilders.devops.kubesphere.io is forbidden: User "system:serviceaccount:kubesphere-devops-system:default" cannot list resource "s2ibuilders" in API group "devops.kubesphere.io" at the cluster scope

JohnNiang commented 2 years ago

That's so weird. Anyway, thank you for providing such detailed log. We will investigate as soon as possible.

xiaokangshuai commented 2 years ago

The s2i container does not have permission to list resources in system:serviceaccount:kubesphere-devops-system:default. may need to modify the RBAC permissions

xiaokangshuai commented 2 years ago

https://kubesphere.com.cn/forum/d/2846-s2i

JohnNiang commented 2 years ago

Hi @xiaokangshuai , please help us check the corresponding RBAC config in your environment.

By default, we have configured RBAC, please check it here: https://github.com/kubesphere/s2ioperator/tree/release-3.1/config/rbac.