search

utkuozdemir / pv-migrate

CLI tool to easily migrate Kubernetes persistent volumes
Apache License 2.0
1.63k stars 82 forks source link

Can't create pods/portforward resource #310

Open quoctri1 opened 4 months ago

quoctri1 commented 4 months ago

Describe the bug pv-migrate can't create pods/portforward even used cluster owner user in Rancher.

To Reproduce Steps to reproduce the behavior:

  1. Make sure kubeconfig that have context with cluser owner user and check with auth cli 
    kubectl --kubeconfig ~/.kube/config --context pal-vsphere-mgt-01 -n keaun-workaround auth can-i create pods/portforward
yes
  2. 
pv-migrate --source-kubeconfig /home/keanuphan/.kube/config --source-context pal-vsphere-mgt-01 --source-namespace keaun-workaround --source www-web-source-0 --dest-kubeconfig /home/keanuphan/.kube/config --dest-context aws-ireland-merito-mgt-01 --dest-namespace tom-test --dest www-web-destination-0 --ignore-mounted --log-level DEBUG --strategies local
Jul 11 15:15:21.347 INF 🚀 Starting migration
Jul 11 15:15:24.196 INF 💡 PVC is mounted to a node, but --ignore-mounted is requested, ignoring... source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 pvc=keaun-workaround/www-web-source-0 mounted_node=palk8smgt08
Jul 11 15:15:24.196 INF 💡 PVC is mounted to a node, but --ignore-mounted is requested, ignoring... source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 pvc=tom-test/www-web-destination-0 mounted_node=ip-10-100-41-184.eu-west-1.compute.internal
Jul 11 15:15:24.196 INF 💭 Attempting migration source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 strategies=local
Jul 11 15:15:24.196 INF 🚁 Attempt using strategy source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:15:24.197 INF 🔑 Generating SSH key pair source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:15:46.519 DBG creating 4 resource(s) source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:15:49.461 DBG beginning wait for 4 resources with timeout of 2m0s source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:16:03.286 DBG creating 4 resource(s) source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:16:04.425 DBG beginning wait for 4 resources with timeout of 2m0s source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:16:05.312 DBG Deployment is not ready: tom-test/pv-migrate-adeee-dest-sshd. 0 out of 1 expected pods are ready source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local
Jul 11 15:16:10.799 ERR ❌ Error on port-forward source=keaun-workaround/www-web-source-0 dest=tom-test/www-web-destination-0 attempt_id=adeee strategy=local ns=keaun-workaround name=pv-migrate-adeee-src-sshd-7c57595cc4-8cmwq port=44737 error="failed to forward ports: error upgrading connection: pods \"pv-migrate-adeee-src-sshd-7c57595cc4-8cmwq\" is forbidden: User \"u-z2pmtfcv6o\" cannot create resource \"pods/portforward\" in API group \"\" in the namespace \"keaun-workaround\""


**Expected behavior**
With cluster-owner I can migrate with local strategies 

**Version**
 - Source and destination Kubernetes versions - `v1.27.12+rke2r1`, `v1.29.4-eks-036c24b`
 - Source and destination container runtimes `containerd://1.7.11-k3s2`, `containerd://1.7.11`
 - `pv-migrate` version and architecture `v2.0.1` - `linux_x86_64`
 - Installation method by binary download
 - Source and destination PVC type, size and accessModes ReadWriteOnce, 1G, rbd -> ReadWriteOnce, 1G, aws ebs
utkuozdemir commented 4 months ago

Hi, the local strategy needs a big overhaul, it is currently not in the best shape. Until I get to it, I recommend trying other strategies, if possible.

quoctri1 commented 4 months ago

thank you very much @utkuozdemir. BTW, any recommand for migrate from on-premises Rancher using metallb (using private ip) to EKS.

utkuozdemir commented 4 months ago

If they are not routable to each other, you don't have any options other than the local strategy.

By the way, it seems your issue is related to RBAC - the user you are hitting the cluster with, u-z2pmtfcv6o, is not authorized to forward ports. I'd recommend looking into that. This issue is not caused by a bug in the local strategy.