search

redhat-cop / podpreset-webhook

Implementation of Kubernetes PodPreset as an Admission Webhook.
Apache License 2.0
63 stars 30 forks source link

"error":"mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: #8

Open noptanakhon opened 3 years ago

noptanakhon commented 3 years ago

kubeadm version kubeadm version: &version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:25:59Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

kubectl logs podpreset-webhook-68c4ffbb8b-ptw9b

{"level":"info","ts":1612442241.8420184,"logger":"cmd","msg":"Go Version: go1.12"} {"level":"info","ts":1612442241.8420722,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"} {"level":"info","ts":1612442241.8420768,"logger":"cmd","msg":"Version of operator-sdk: v0.10.0"} {"level":"info","ts":1612442242.0041437,"logger":"cmd","msg":"Registering Components."} {"level":"info","ts":1612442242.3313715,"logger":"cmd","msg":"Could not create ServiceMonitor object","error":"no ServiceMonitor registered with the API"}
{"level":"info","ts":1612442242.3314064,"logger":"cmd","msg":"Install prometheus-operator in your cluster to create ServiceMonitor objects","error":"no ServiceMonitor registered with the API"} {"level":"info","ts":1612442242.3314116,"logger":"cmd","msg":"Starting the Cmd."} {"level":"info","ts":1612442242.431955,"logger":"kubebuilder.webhook","msg":"installing webhook configuration in cluster"} {"level":"error","ts":1612442242.5360901,"logger":"cmd","msg":"Manager exited non-zero","error":"mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User \"system:serviceaccount:default:podpreset-webhook\" cannot create resource \"mutatingwebhookconfigurations\" in API group \"admissionregistration.k8s.io\" at the cluster scope","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/pkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\nmain.main\n\t/home/travis/gopath/src/github.com/redhat-cop/podpreset-webhook/cmd/manager/main.go:142\nruntime.main\n\t/home/travis/.gimme/versions/go1.12.linux.amd64/src/runtime/proc.go:200"}

tfluehmann commented 3 years ago

Tried it out in gke (k8s version 1.17). It displays the same error. Despite it should have the permission:

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: podpreset-webhook
subjects:
  - kind: ServiceAccount
    name: podpreset-webhook
    namespace: podpreset-webhook
roleRef:
  kind: ClusterRole
  name: podpreset-webhook
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: podpreset-webhook
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
      - get
      - create
  - apiGroups:
      - redhatcop.redhat.io
    resources:
      - "*"
    verbs:
      - "*"
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
    verbs:
      - "*"