bbrowning
commented
6 years ago This was just recently fixed upstream in https://github.com/apache/incubator-openwhisk/pull/3409
Until we get a new Invoker container image built and pushed, you can workaround it for now by setting a CONFIG_whisk_kubernetes_namespace environment variable in your invoker statefulset template spec to your namespace. Add something like this alongside the other env variables in the Invoker container spec of the template:
- name: CONFIG_whisk_kubernetes_namespace
valueFrom:
fieldRef:
fieldPath: metadata.namespace That should workaround things until we get this fixed percolated through. Sorry about that.
jcrossley3
I did deploy openwhisk into an openshift project called "dfroehli-wsk". Invoker is failing with [2018-03-08T16:30:25.585Z] [ERROR] Failure executing: POST at: https://kubernetes.default.svc/api/v1/namespaces/openwhisk/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:dfroehli-wsk:openwhisk" cannot create pods in the namespace "openwhisk": User "system:serviceaccount:dfroehli-wsk:openwhisk" cannot create pods in project "openwhisk". io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://kubernetes.default.svc/api/v1/namespaces/openwhisk/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:dfroehli-wsk:openwhisk" cannot create pods in the namespace "openwhisk": User "system:serviceaccount:dfroehli-wsk:openwhisk" cannot create pods in project "openwhisk". at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:226) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:757) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:344) at whisk.core.containerpool.kubernetes.KubernetesClient.run(KubernetesClient.scala:153) at whisk.core.containerpool.kubernetes.KubernetesContainer$.create(KubernetesContainer.scala:69) at whisk.core.containerpool.kubernetes.KubernetesContainerFactory.createContainer(KubernetesContainerFactory.scala:64) at whisk.core.invoker.InvokerReactive$$anonfun$6$$anonfun$apply$6.apply(InvokerReactive.scala:142) at whisk.core.invoker.InvokerReactive$$anonfun$6$$anonfun$apply$6.apply(InvokerReactive.scala:142) at whisk.core.containerpool.ContainerProxy$$anonfun$1.applyOrElse(ContainerProxy.scala:128) at whisk.core.containerpool.ContainerProxy$$anonfun$1.applyOrElse(ContainerProxy.scala:109) at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) at akka.actor.FSM$class.processEvent(FSM.scala:665) at whisk.core.containerpool.ContainerProxy.processEvent(ContainerProxy.scala:93) at akka.actor.FSM$class.akka$actor$FSM$$processMsg(FSM.scala:659) at akka.actor.FSM$$anonfun$receive$1.applyOrElse(FSM.scala:653) at akka.actor.Actor$class.aroundReceive(Actor.scala:517) at whisk.core.containerpool.ContainerProxy.aroundReceive(ContainerProxy.scala:93) at akka.actor.ActorCell.receiveMessage(ActorCell.scala:527) at akka.actor.ActorCell.invoke(ActorCell.scala:496) at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257) at akka.dispatch.Mailbox.run(Mailbox.scala:224) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
There is no namespace "openwhisk" in my cluster. So it seems to be somewhere missing a config entry for the invoker point to the correct namespace.