Kubewait can't reach API URL because of issue with permissions

[sashker]

Hello, Joe.

Probably, you don't use RBAC in your Kubernetes cluster, but I do. So, a bunch of monitoring containers can't reach API rules because of permissions. (I've done files with roles and make PR later).

But I have the next problem: 1)I've created necessary Roles and RoleBindings. 2)But kubewait doesn't get them

pykube.exceptions.HTTPError: deployments.extensions "rabbitmq" is forbidden: User "system:serviceaccount:default:default" cannot get deployments.extensions in the namespace "default": [clusterrole.rbac.authorization.k8s.io "get-deployments-default" not found, role.rbac.authorization.k8s.io "get-rabbitmq-resources" not found]

though they exist and they are visible via kubectl:

root@kmaster1:~/# kubectl get roles
NAME                       AGE
get-couchdb-configmap      2d
get-couchdb-statefulsets   2d
get-rabbitmq-resources     22h

[joeblackwaslike]

I currently don't use RBAC, but it looks like a role named get-deployments-default is missing. Have you tried that?

It also seems since I created kubewait that either the kubernetes api or pykube has changed with regards to deployments, I'm investigating the cause of this currently.

[sashker]

Probably, this is a bug in our cluster or in the Kubernetes, because, sometimes everything works fine and sometimes this error happens. I.e. API doesn't know about roles and bindings even if they exist.