Unable to run into OCP

[jfrieu]

I am facing issue running KubeInvaders into OCP. Using the ROUTE_HOST as described, however this is also used in routes in another namespace where I have deployed the containers / pods in an organized manner in another project, the one on which I want to cause chaos This is causing conflict Route "rejected", when having a look at yaml , I see HostAlreadyClaimed a route in another namespace holds "myroute" and is older than kubeinvaders

Please advise

[lucky-sideburn]

Uhm.. strange! Which host is managing the route older than kubeinvaders? May be it have the same host of ROUTE_HOST.

[jfrieu]

Hi, yes indeed same host, I just realised this and fixed this added kube. as prefix on the ROUTE_HOST used for my other project. Appologies

[jfrieu]

Hi, thought I should reopen. Actually I have ISTIO running on my specific project (bookinfo demo), and would like to visualize what is going on during chose. Ran this commands, and all ok TARGET_NAMESPACE=bookinfo oc create sa kubeinvaders -n $TARGET_NAMESPACE oc adm policy add-cluster-role-to-user kubeinvaders-role -z kubeinvaders -n $TARGET_NAMESPACE

Unfortunatly I cannot have it running against that project, error message "K8 status code request 403"

[lucky-sideburn]

did you take the token of kubeinvaders service account?

[jfrieu]

yes indeed TARGET_NAMESPACE=bookinfo KUBEINVADERS_SECRET=$(oc get secret -n $TARGET_NAMESPACE --field-selector=type==kubernetes.io/service-account-token | grep 'kubeinvaders-token' | awk '{ print $1}' | head -n 1) echo $KUBEINVADERS_SECRET

kubeinvaders-token-4j458

actually I have noticed there are 2 pods aren't up naturally, I need to go to the Deployment Config, edit ENV variable, search for K8S , and update with one of the 2 secrets (kubeinvaders*) I find in the list. Once updated, pods are recreated, and eventually only one is up

[lucky-sideburn]

uhm... try if with this token you can list the pods into the namespace using oc --token=$KUBEINVADERS_SECRET

[jfrieu]

oc get pods --token=$KUBEINVADERS_SECRET gives "error: You must be logged in to the server (Unauthorized)" however oc get pods --token=$SESSION_TOKEN does give a list, this is the API token provided by OCP at initial login SESSION_TOKEN here is my user token

Documentation says TOKEN=

[lucky-sideburn]

Yes the env variable for Docker is TOKEN! So the token you use is working from oc logs.. Which error you receive?

[jfrieu]

On project kubeinvaders oc get pods NAME READY STATUS RESTARTS AGE kubeinvaders-2-deploy 0/1 Completed 0 7h5m kubeinvaders-2-wmtcs 1/1 Running 0 7h5m

dont now why 2 pods, I actually can see only one (kubeinvaders-2-wmtcs) in the OCP console

oc logs on this pod, a bunch of GET, no error x.x.x.x - - [18/Sep/2020:19:47:13 +0000] "GET /kube/api/v1/namespaces/bookinfo/pods HTTP/1.1" 403 342 "https://kube.xxx.containers.appdomain.cloud/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" "10.175.95.12"

[lucky-sideburn]

Hi @jfrieu,

it is something related to the token used... can you please try again this?

`oc create clusterrole kubeinvaders-role --verb=watch,get,delete,list --resource=pods,pods/log

oc create sa kubeinvaders -n kubeinvaders oc adm policy add-cluster-role-to-user kubeinvaders-role -z kubeinvaders -n kubeinvaders

KUBEINVADERS_SECRET=$(oc get secret -n kubeinvaders --field-selector=type==kubernetes.io/service-account-token | grep 'kubeinvaders-token' | awk '{ print $1}' | head -n 1) `

[jfrieu]

hi works now, i got confused by a video on youtube where I understood I should use TARGET_NAMESPACE=myproject oc create sa kubeinvaders -n $TARGET_NAMESPACE oc adm policy add-cluster-role-to-user kubeinvaders-role -z kubeinvaders -n $TARGET_NAMESPACE

so with oc create sa kubeinvaders -n kubeinvaders oc adm policy add-cluster-role-to-user kubeinvaders-role -z kubeinvaders -n kubeinvaders

works fine now

Thanks !!

[lucky-sideburn]

Great!