search

kubevirt / containerized-data-importer

Data Import Service for kubernetes, designed with kubevirt in mind.
Apache License 2.0
407 stars 256 forks source link

extension-apiserver-authentication ConfigMap namespace is hard-coded #531

Closed aglitke closed 5 years ago

aglitke commented 5 years ago

/kind bug

What happened: When CDI is deployed in a namespace other than kube-system, the apiserver still looks for the extension-apiserver-authentication ConfigMap in the kube-system namespace but the RBAC permissions will not allow access to the kube-system namespace.

What you expected to happen: We should expect the ConfigMap to reside in the same namespace as the apiserver.

How to reproduce it (as minimally and precisely as possible): Deploy CDI in a namespace other than kube-system

[alitke@brewer kubevirt]$ ./cluster/kubectl.sh get pods --all-namespaces
NAMESPACE     NAME                                      READY     STATUS                       RESTARTS   AGE
default       local-volume-provisioner-vfhv4            1/1       Running                      0          45m
kube-system   coredns-78fcdf6894-kfdkr                  1/1       Running                      0          45m
kube-system   coredns-78fcdf6894-vnjjn                  1/1       Running                      0          45m
kube-system   etcd-node01                               1/1       Running                      0          44m
kube-system   kube-apiserver-node01                     1/1       Running                      0          44m
kube-system   kube-controller-manager-node01            1/1       Running                      0          44m
kube-system   kube-flannel-ds-8vlz2                     1/1       Running                      0          45m
kube-system   kube-proxy-n88qq                          1/1       Running                      0          45m
kube-system   kube-scheduler-node01                     1/1       Running                      0          44m
kubevirt      cdi-api-597f66459b-drvvr                  0/1       CrashLoopBackOff             4          3m
kubevirt      cdi-deployment-798759bd84-vprns           1/1       Running                      0          3m
kubevirt      cdi-http-import-server-79cc449d4d-9cspr   1/1       Running                      0          3m
kubevirt      cdi-uploadproxy-5c598dbd4b-q9ww5          0/1       CreateContainerConfigError   0          3m
kubevirt      disks-images-provider-k74vh               1/1       Running                      1          3m
kubevirt      virt-api-76d7d4bb7b-jbg69                 1/1       Running                      0          3m
kubevirt      virt-controller-84878bb574-fnhhk          1/1       Running                      0          3m
kubevirt      virt-controller-84878bb574-nzg5s          1/1       Running                      0          3m
kubevirt      virt-handler-sqr42                        1/1       Running                      0          3m
[alitke@brewer kubevirt]$ ./cluster/kubectl.sh logs -n kubevirt cdi-api-597f66459b-drvvr
I1120 14:25:33.900577       1 apiserver.go:48] Note: increase the -v level in the api deployment for more detailed logging, eg. -v=2 or -v=3
W1120 14:25:33.900824       1 client_config.go:533] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
F1120 14:25:33.911970       1 apiserver.go:73] Upload api failed to initialize: Unable to get client cert: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:kubevirt:cdi-apiserver" cannot get configmaps in the namespace "kube-system"

goroutine 1 [running]:
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.stacks(0xc42029e900, 0xc420418000, 0x113, 0x2a0)
    /go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:769 +0xcf
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.(*loggingT).output(0x18217a0, 0xc400000003, 0xc420120630, 0x17a4d6a, 0xc, 0x49, 0x0)
    /go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:720 +0x32d
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.(*loggingT).printf(0x18217a0, 0xc400000003, 0x109adf9, 0x24, 0xc420179f48, 0x1, 0x1)
    /go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:655 +0x14b
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.Fatalf(0x109adf9, 0x24, 0xc420179f48, 0x1, 0x1)
    /go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:1148 +0x67
main.main()
    /go/src/kubevirt.io/containerized-data-importer/cmd/cdi-apiserver/apiserver.go:73 +0x2b3
[alitke@brewer kubevirt]$ ./cluster/kubectl.sh logs -n kubevirt cdi-uploadproxy-5c598dbd4b-q9ww5
Error from server (BadRequest): container "cdi-uploadproxy" in pod "cdi-uploadproxy-5c598dbd4b-q9ww5" is waiting to start: CreateContainerConfigError
[alitke@brewer kubevirt]$

Anything else we need to know?:

Environment:

mhenriks commented 5 years ago

@aglitke the extension-apiserver-authentication configmap is created by the kubernetes apiserver, not the cdi-apiserver. So, the fix is to give cdi-apiserver permission to the configmap in kube-system