What happened:
When CDI is deployed in a namespace other than kube-system, the apiserver still looks for the extension-apiserver-authentication ConfigMap in the kube-system namespace but the RBAC permissions will not allow access to the kube-system namespace.
What you expected to happen:
We should expect the ConfigMap to reside in the same namespace as the apiserver.
How to reproduce it (as minimally and precisely as possible):
Deploy CDI in a namespace other than kube-system
[alitke@brewer kubevirt]$ ./cluster/kubectl.sh get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default local-volume-provisioner-vfhv4 1/1 Running 0 45m
kube-system coredns-78fcdf6894-kfdkr 1/1 Running 0 45m
kube-system coredns-78fcdf6894-vnjjn 1/1 Running 0 45m
kube-system etcd-node01 1/1 Running 0 44m
kube-system kube-apiserver-node01 1/1 Running 0 44m
kube-system kube-controller-manager-node01 1/1 Running 0 44m
kube-system kube-flannel-ds-8vlz2 1/1 Running 0 45m
kube-system kube-proxy-n88qq 1/1 Running 0 45m
kube-system kube-scheduler-node01 1/1 Running 0 44m
kubevirt cdi-api-597f66459b-drvvr 0/1 CrashLoopBackOff 4 3m
kubevirt cdi-deployment-798759bd84-vprns 1/1 Running 0 3m
kubevirt cdi-http-import-server-79cc449d4d-9cspr 1/1 Running 0 3m
kubevirt cdi-uploadproxy-5c598dbd4b-q9ww5 0/1 CreateContainerConfigError 0 3m
kubevirt disks-images-provider-k74vh 1/1 Running 1 3m
kubevirt virt-api-76d7d4bb7b-jbg69 1/1 Running 0 3m
kubevirt virt-controller-84878bb574-fnhhk 1/1 Running 0 3m
kubevirt virt-controller-84878bb574-nzg5s 1/1 Running 0 3m
kubevirt virt-handler-sqr42 1/1 Running 0 3m
[alitke@brewer kubevirt]$ ./cluster/kubectl.sh logs -n kubevirt cdi-api-597f66459b-drvvr
I1120 14:25:33.900577 1 apiserver.go:48] Note: increase the -v level in the api deployment for more detailed logging, eg. -v=2 or -v=3
W1120 14:25:33.900824 1 client_config.go:533] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
F1120 14:25:33.911970 1 apiserver.go:73] Upload api failed to initialize: Unable to get client cert: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:kubevirt:cdi-apiserver" cannot get configmaps in the namespace "kube-system"
goroutine 1 [running]:
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.stacks(0xc42029e900, 0xc420418000, 0x113, 0x2a0)
/go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:769 +0xcf
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.(*loggingT).output(0x18217a0, 0xc400000003, 0xc420120630, 0x17a4d6a, 0xc, 0x49, 0x0)
/go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:720 +0x32d
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.(*loggingT).printf(0x18217a0, 0xc400000003, 0x109adf9, 0x24, 0xc420179f48, 0x1, 0x1)
/go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:655 +0x14b
kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog.Fatalf(0x109adf9, 0x24, 0xc420179f48, 0x1, 0x1)
/go/src/kubevirt.io/containerized-data-importer/vendor/github.com/golang/glog/glog.go:1148 +0x67
main.main()
/go/src/kubevirt.io/containerized-data-importer/cmd/cdi-apiserver/apiserver.go:73 +0x2b3
[alitke@brewer kubevirt]$ ./cluster/kubectl.sh logs -n kubevirt cdi-uploadproxy-5c598dbd4b-q9ww5
Error from server (BadRequest): container "cdi-uploadproxy" in pod "cdi-uploadproxy-5c598dbd4b-q9ww5" is waiting to start: CreateContainerConfigError
[alitke@brewer kubevirt]$
Anything else we need to know?:
Environment:
CDI version (use kubectl get deployments cdi-deployment -o yaml):
@aglitke the extension-apiserver-authentication configmap is created by the kubernetes apiserver, not the cdi-apiserver. So, the fix is to give cdi-apiserver permission to the configmap in kube-system
/kind bug
What happened: When CDI is deployed in a namespace other than kube-system, the apiserver still looks for the extension-apiserver-authentication ConfigMap in the kube-system namespace but the RBAC permissions will not allow access to the kube-system namespace.
What you expected to happen: We should expect the ConfigMap to reside in the same namespace as the apiserver.
How to reproduce it (as minimally and precisely as possible): Deploy CDI in a namespace other than kube-system
Anything else we need to know?:
Environment:
kubectl get deployments cdi-deployment -o yaml
):kubectl version
):