Closed marcoceppi closed 5 years ago
I didn't realize that you needed read permissions to get api objects within the same namespace. I'm sure that I tried this out before with just Synse Server and a plugin on a GKE cluster and it was working before. Maybe the ServiceAccount from blackbox was still lingering or there are some non-default permissions set when the cluster is created.. either way, this is my bad. Thanks for the guide and templates -- I'll get something up for this shortly.
It's highly probable that the GKE cluster may not of had RBAC enabled, which would skew you're results
I don't have the full terminal window output, but based on my notes I ran the rbac script:
# helm
kubectl apply -f management/setup/helm/rbac.yaml
helm init --service-account tiller
Yes, that's to set up helm, this is for the services themselves. That yaml creates a service account for helms tiller - though that's not shared with helm deployed services
It does seem like it was a GKE issue. I tested Synse Server + Plugin both with and without the changes that add in the ServiceAccount, ClusterRole, and ClusterRoleBinding and it worked fine in both cases. I wasn't able to replicate the permissions errors seen in Synse Server, which is probably why I missed this before.
Yeah, we should set up a cluster in GCP that isn't GKE so we can run infra similar to our production sites. I'll work on that separately
On Thu, Nov 1, 2018, 11:11 Erick Daniszewski notifications@github.com wrote:
It does seem like it was a GKE issue. I tested Synse Server + Plugin both with and without the changes that add in the ServiceAccount, ClusterRole, and ClusterRoleBinding and it worked fine in both cases. I wasn't able to replicate the permissions errors seen in Synse Server, which is probably why I missed this before.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/vapor-ware/synse-charts/issues/5#issuecomment-435065932, or mute the thread https://github.com/notifications/unsubscribe-auth/AAET1a5wtW4VVomyyA0h1m1xLCEGm3JJks5uqw8YgaJpZM4YGHYk .
This is blocking VEM master deploy, which is the only site left now.
On a fresh deploy of synse-server, logs will fail with tracebacks due to Forbidden errors from API
Since synse-server now uses Kubernetes API for plugin discovery, the chart will need to both create a service-account and a clusterrolebinding for read level permissions. Normally, a
Role
andRoleBinding
would be sufficient, but since synse-server can technically be configured to search for endpoints not in their namespace, we'll use aClusterRole
andClusterRoleBinding
I've not tested these templates, but it would look something like
serviceaccount.yaml
clusterrole.yaml
Since the URL being accessed is
/api/v1/namespaces/{namespace}/endpoints
we can decompose that intoapiGroups
"core", in one or more namespaces, for the endpoints resource. The method being invoked islist
so we need at least thelist
andget
verbs. I've added watch, because it's easy enough to include.clusterrolebinding.yaml
deployment.yaml
Finally, the
Deployment
template spec will need to be updated to attach the ServiceAccount to synse-server.Under
spec.template.spec
in the deployment addWe should do our best to use
fullname
for these item to avoid collisions when multiple releases deployed in a single cluster / namespace.