bitnik
commented
4 months ago Hello,
Here is some more information we just found out. When we check the keys in etcd, we see that only "/sensu.io/.initialized" key exists. ".initialized" key doesn't exist at all. This is really strange.
We just did a new test deployment and created a sensu user in etcd without access to ".initialized" key and during initialization we got the "permission denied" error again:
{"component":"etcd","level":"warning","logger":"etcd-client","caller":"v3@v3.5.5/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00098a1c0/etcd-1.etcd-headless.sensu-test.svc.cluster.local:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}
{"component":"cmd","level":"error","msg":"error seeding cluster, is cluster healthy? failed to create initializer lock: etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}After giving access to ".initialized" key, initialization goes through without problem, but as mentioned earlier, ".initialized" key doesn't exist in etcd. So it looks like sensu requires permissin to a key that it doesn't use at all?
Expected Behavior
We want to use an external etcd for our sensu backen. We expected that after configuring it as described in the documentation is enough.
Current Behavior
While initializing the sensu backend, it fails with "permission denied" error. Because it requires the access to ".initialized" key too. After giving access to that key, initialization goes through without problem, but then the problem is that the sensu user has access to
/key space too.Possible Solution
Move the required ".initialized" key to "/sensu.io/.initialized".
Steps to Reproduce (for bugs)
Context
We want to limit the acces of sensu user to
/sensu.io/key space only, because we plan to have other applications using other key spaces.Your Environment