briprowe
commented
4 years ago I am also intermittently encountering this when running in minikube.
minikube version: v1.14.2
commit: 2c82918e2347188e21c4e44c8056fc80408bce10Open marcgarciajr opened 4 years ago
briprowe
commented
4 years ago I am also intermittently encountering this when running in minikube.
minikube version: v1.14.2
commit: 2c82918e2347188e21c4e44c8056fc80408bce10
KennyReeldata
commented
4 years ago Running into this with K3s in an on-premise setup as well..
Keralin
commented
3 years ago You have to allow the serviceaccount that you are using to list some resources from kubernetes otherwise it will fail like yours it's failing. It is failing because doesnt have the enough permissions to be able to do some actions (in th is case list all the namespaces). You can define new permissions or create anoñther serviceAccount to avoid editing the default one that comes from Kubernetes.
lackhoa
commented
3 years ago What is the permissions that this app need? Do you assume that it should run as admin?
Keralin
commented
3 years ago What is the permissions that this app need? Do you assume that it should run as admin?
No that's wrong, you should'nt run as admin. In my case I added the permissions: namespace: list, get, watch secrets: get, list, watch, create, update, patch and delete serviceaccount: all the permissions.
Remember that the app list all namespaces, and updates or creates secrets to that namespace with the secrets to allow that namespace to dowload the images from the private repository
lackhoa
commented
3 years ago @Keralin What do you mean "in your case"? Are there different use cases? I read that only the default serviceAccount is mutated, so do we really need all the permissions for all serviceAccounts?
Keralin
commented
3 years ago @lackhoa Sorry for the delay, I just added to this PR with the files you will need. https://github.com/upmc-enterprises/registry-creds/pull/103
ac5tin
commented
2 years ago i only configured the secrests.yml and deployment.yml for AWS ECR and got the following error in the pod
Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope
kaiffeetasse
commented
2 years ago @ac5tin I think you are missing the api_groups = "" permission
motoshkov
Any idea why would this happen? Seems like the Go app can't list the namespaces. What can I do in this case?
It is configured for AWS ECR the same registry works fine on minikube, but in dev cluster, it doesn't.
Here is the error:
`time="2020-10-21T05:10:45Z" level=info msg="Starting up..." time="2020-10-21T05:10:45Z" level=info msg="Using AWS Account: 81xxxxxxxx" time="2020-10-21T05:10:45Z" level=info msg="Using AWS Region: ca-central-1" time="2020-10-21T05:10:45Z" level=info msg="Using AWS Assume Role: arn:aws:iam::81xxxxxxx:role/xxxxxxxxxx" time="2020-10-21T05:10:45Z" level=info msg="Refresh Interval (minutes): 60" time="2020-10-21T05:10:45Z" level=info msg="Retry Timer: simple" time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retries: 3" time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retry Delay (se
ERROR: logging before flag.Parse: E1021 05:11:37.436054 1 reflector.go:199] github.com/upmc-enterprises/registry-creds/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope`
It is on an infinite loop outputting the error above.