search

openanalytics / shinyproxy-config-examples

Configuration examples for ShinyProxy
https://www.shinyproxy.io
147 stars 110 forks source link

Create pods in separate naemsapce #20

Closed cnukwas closed 4 years ago

cnukwas commented 4 years ago

Ran into an issue when trying to spin up the application with below error since application.yaml has no reference to a namespace, hence defaults to 'default' namespace inside the cluster.

Error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/default/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:sptestns:sptestns" cannot create resource "pods" in API group "" in the namespace "default": access denied.

Entry in https://github.com/openanalytics/shinyproxy-config-examples/blob/master/03-containerized-kubernetes/shinyproxy-example/application.yml:

kubernetes:
    internal-networking: true
    url: http://localhost:8001
  specs:
cnukwas commented 4 years ago

Checked existing issues and documentation but didn't find anything, so created an issue and answered it here, to help others if anyone runs into similar issue.

Solution: Add namespace to following kubernetes section in the application.yaml to force the sidecar container to create 'application' pods in the give namespace, instead of the default since we want to prevent devs using that namespace for application purposes.

Error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/default/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:sptestns:sptestns" cannot create resource "pods" in API group "" in the namespace "default": access denied.

Entry in https://github.com/openanalytics/shinyproxy-config-examples/blob/master/03-containerized-kubernetes/shinyproxy-example/application.yml:

kubernetes:
    internal-networking: true
    url: http://localhost:8001
  specs:

Added namespace as below to application.yaml to let the sidecar container to create new pods inside 'sptestns' namespace.

kubernetes:
    internal-networking: true
    url: http://localhost:8001
    namespace: sptestns
  specs:

Also created a different serviceaccount with same name as the namespace, in this case 'sptestns' since the 'default' account doesn't have all the permissions required to create pods and other operations.

cnukwas commented 4 years ago

@fmichielssen, would it be possible to add a note to application.yaml to indicate use of a namespace? Thanks

aupadh12 commented 3 years ago

Hi @cnukwas , I am faced with this same situation as well where I also tried to include the namespace in application.yml file. But now, I am getting below error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/shinyproxy/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:shinyproxy:default" cannot create resource "pods" in API group "" in the namespace "shinyproxy".

Where can I set system:serviceaccount:shinyproxy:default to system:serviceaccount:shinyproxy:shinyproxy as I am thinking that will resolve the issue. cc: @fmichielssen

LEDfan commented 3 years ago

@cnukwas The namespace option is documented here https://shinyproxy.io/documentation/configuration/#kubernetes

@aupadh12 you can change the serviceaccount of a single app using the kubernetes-pod-patches feature documented here https://shinyproxy.io/documentation/configuration/#apps (you have to scroll down a bit)

When changing the service account, you should make sure it has the correct permission using the RBAC configuration of Kubernetes.