Closed cnukwas closed 4 years ago
Checked existing issues and documentation but didn't find anything, so created an issue and answered it here, to help others if anyone runs into similar issue.
Solution: Add namespace to following kubernetes section in the application.yaml to force the sidecar container to create 'application' pods in the give namespace, instead of the default since we want to prevent devs using that namespace for application purposes.
Error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/default/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:sptestns:sptestns" cannot create resource "pods" in API group "" in the namespace "default": access denied.
kubernetes:
internal-networking: true
url: http://localhost:8001
specs:
Added namespace as below to application.yaml to let the sidecar container to create new pods inside 'sptestns' namespace.
kubernetes:
internal-networking: true
url: http://localhost:8001
namespace: sptestns
specs:
Also created a different serviceaccount with same name as the namespace, in this case 'sptestns' since the 'default' account doesn't have all the permissions required to create pods and other operations.
@fmichielssen, would it be possible to add a note to application.yaml to indicate use of a namespace? Thanks
Hi @cnukwas , I am faced with this same situation as well where I also tried to include the namespace in application.yml file. But now, I am getting below error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/shinyproxy/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:shinyproxy:default" cannot create resource "pods" in API group "" in the namespace "shinyproxy".
Where can I set system:serviceaccount:shinyproxy:default to system:serviceaccount:shinyproxy:shinyproxy as I am thinking that will resolve the issue. cc: @fmichielssen
@cnukwas The namespace option is documented here https://shinyproxy.io/documentation/configuration/#kubernetes
@aupadh12 you can change the serviceaccount of a single app using the kubernetes-pod-patches
feature documented here https://shinyproxy.io/documentation/configuration/#apps (you have to scroll down a bit)
When changing the service account, you should make sure it has the correct permission using the RBAC configuration of Kubernetes.
Ran into an issue when trying to spin up the application with below error since application.yaml has no reference to a namespace, hence defaults to 'default' namespace inside the cluster.
Error: Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/default/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:sptestns:sptestns" cannot create resource "pods" in API group "" in the namespace "default": access denied.
Entry in https://github.com/openanalytics/shinyproxy-config-examples/blob/master/03-containerized-kubernetes/shinyproxy-example/application.yml: