search

solo-io / squash

The debugger for microservices
https://squash.solo.io
Apache License 2.0
1.74k stars 103 forks source link

Squash Container Tried to Register CRDs #241

Open orlando-jamie opened 4 years ago

orlando-jamie commented 4 years ago

I took away the following CRD permissions from the squash role, as they are already installed per secure mode.

- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - register

However, the squash pod fails with the following error. 

$ kubectl logs squash-58dcb9bd49-lbsxw -n squash-debugger
time="2019-10-09T12:23:51Z" level=info msg="squash started dev, 2019-02-26.18:04:27"
ERROR: logging before flag.Parse: I1009 12:23:51.510752       1 remote_runtime.go:43] Connecting to runtime service /var/run/cri.sock
ERROR: logging before flag.Parse: W1009 12:23:51.510767       1 util_unix.go:75] Using "/var/run/cri.sock" as endpoint is deprecated, please consider using full url format "unix:///var/run/cri.sock".
time="2019-10-09T12:23:51Z" level=info msg="Squash Client started"
time="2019-10-09T12:23:51Z" level=error msg=RunDebugBridge err="failed to register crd: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:squash-debugger:squash\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope"
time="2019-10-09T12:23:51Z" level=fatal msg="Error running debug bridge" error="failed to register crd: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:squash-debugger:squash\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope"

Tracking down the error, "RunDebugBridge", I can see the error is caused by the call to create the GetBasicDebugAttachmentClient. https://github.com/solo-io/squash/blob/d5826fcc7b42cec37a867d7c479f68747cf488c5/pkg/squash/squash.go#L30

Going further down the rabbit hole, I see that the client is part of the solo-kit client (github.com/solo-io/solo-kit/pkg/api/v1/clients). https://github.com/solo-io/squash/blob/e42715ca201a662c7e09d0e9f44ea4061284c261/pkg/api/v1/debug_attachment_client.sk.go#L18

However, looking into some closed issues, it seems that you intended to have already closed this bug? https://github.com/solo-io/squash/issues/155.

Any idea why the squash server container is still trying to created the CRDs within the solo-kit client?

Thank You, -Jamie