krane icon indicating copy to clipboard operation
krane copied to clipboard

Published 20 hours ago verified publisher icon Shopify

forbidden: User "$SERVICE_ACCOUNT" cannot get path "/"

Open joshuasimon-taulia opened this issue 4 years ago • 3 comments

Bug report

starting in krane 2.1.6, my k8s sa is hitting permissions issues. krane deploy works fine in 2.1.5

Expected behavior:

[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]	------------------------------------------Result: SUCCESS-------------------------------------------
[INFO][2021-02-12 01:56:07 +0000]	Successfully deployed 11 resources
[INFO][2021-02-12 01:56:07 +0000]
[INFO][2021-02-12 01:56:07 +0000]	Successful resources

Actual behavior:

[WARN][2021-02-12 03:09:44 +0000]	The following command failed (attempt 5/5): kubectl get --raw / --context\=staging --request-timeout\=1
[WARN][2021-02-12 03:09:44 +0000]	Error from server (Forbidden): forbidden: User "system:serviceaccount:staging:deployer" cannot get path "/"

[INFO][2021-02-12 03:09:44 +0000]
[INFO][2021-02-12 03:09:44 +0000]	------------------------------------------Result: FAILURE-------------------------------------------
[FATAL][2021-02-12 03:09:44 +0000]	Error retrieving raw path /: error from server (forbidden): forbidden: user "system:serviceaccount:staging:deployer" cannot get path "/"
[FATAL][2021-02-12 03:09:44 +0000]

Version(s) affected: 2.1.6

Steps to Reproduce

  1. krane deploy staging staging --no-prune -f output/my-charttemplates/

This is RBAC for my k8s SA

kind: ClusterRole # limited to namespace by using 'RoleBinding'
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer
rules:
  - apiGroups:
      - "*"
    resources:
      - configmaps
      - clusterrolebindings
      - clusterroles
      - customresourcedefinitions
      - deployments
      - events
      - horizontalpodautoscalers
      - ingresses
      - jobs
      - persistentvolumeclaims
      - persistentvolumes
      - pods
      - pods/log
      - replicasets
      - rolebindings
      - roles
      - secrets
      - serviceaccounts
      - services
      - statefulsets
    verbs:
      - create
      - get
      - list
      - patch
      - watch
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer-all-ns
rules:
  - apiGroups:
      - "*"
    resources:
      - namespaces
      - customresourcedefinitions
    verbs:
      - get
      - list

I have also tried giving the k8s SA

rules:
- nonResourceURLs:
  - /
  verbs:
  - get

Feature request

Proposal: Document the addional RBAC required by krane 2.1.6

joshuasimon-taulia avatar Feb 12 '21 03:02 joshuasimon-taulia

I definitely think this is worth documenting. We've held off on a list of RBAC resources because krane will deploy/prune anything you give it so there isn't really isn't a list of short of * that would work for everyone.

Would you be willing to PR something to our docs?

dturn avatar Feb 12 '21 20:02 dturn

We just hit this issue too, with a user updating to 2.1.7. Maybe worth mentioning our finds on the way here, that k8s rejected adding this permisssion to the standard discovery role https://github.com/kubernetes/kubernetes/issues/45366 (we weren't sure if krane now targeted a newer k8s than we use, 1.16), and that the need for this to be documented was also mentioned in https://github.com/Shopify/krane/pull/778#issuecomment-778328751 (mentioning this to link the issues)

bazzargh avatar Mar 01 '21 22:03 bazzargh