microk8s-actions icon indicating copy to clipboard operation
microk8s-actions copied to clipboard
verified publisher icon balchua

"Insufficient permissions to access MicroK8s"

Open barrettj12 opened this issue 3 years ago • 10 comments

The following workflow is failing:

name: "Test MicroK8s"
on: [push, pull_request, workflow_dispatch]
jobs:
  microk8s:
    runs-on: ubuntu-latest
    steps:
    
    - name: Set up MicroK8s
      uses: balchua/[email protected]
      with:
        channel: "1.25-strict/stable"
        addons: '["dns", "hostpath-storage"]'

    - name: Test MicroK8s
      run: |
        microk8s status

The second step fails with

Insufficient permissions to access MicroK8s.
You can either try again with sudo or add the user runner to the 'snap_microk8s' group:
    sudo usermod -a -G snap_microk8s runner
    sudo chown -R runner ~/.kube
After this, reload the user groups either via a reboot or by running 'newgrp snap_microk8s'.

This action should set up the user permissions correctly so that the $USER can access MicroK8s. Currently I can't do anything with MicroK8s. See logs here.

barrettj12 avatar Nov 25 '22 06:11 barrettj12

Thanks for this. The issue here is that even if the user is created, there is no way to open a new session to reflect the newly minted membership, atleast i couldn't find a way.

In order to use the microk8s command, one need to use the sudo or sg.

balchua avatar Nov 25 '22 08:11 balchua

The following seems to work for me (after setting up microk8s):

sudo usermod -a -G snap_microk8s $USER
sudo chown -R $USER ~/.kube || true # this might fail if the ~/.kube file doesn't exist
newgrp snap_microk8s

barrettj12 avatar Nov 27 '22 23:11 barrettj12

Ok, newgrp seems to work when I do it in an SSH session, but not when I put it as a step inside the workflow. Might be a bug with the GitHub runners.

barrettj12 avatar Nov 28 '22 00:11 barrettj12

Ok, I see the issue. newgrp creates a new subshell with the specified groups. So it works in interactive shells, but not in automated scripts.

~Maybe we could define microk8s as an alias for sg snap_microk8s 'microk8s ...' ?~ This won't work, because other commands that want to use microk8s won't be able to access the alias.

barrettj12 avatar Nov 28 '22 01:11 barrettj12

Thanks @barrettj12 , so far i see using sudo is the only way to make it work.

balchua avatar Nov 28 '22 05:11 balchua

Yep, and feedback from the microk8s team is that you can't change the microk8s group to e.g. adm.

I've opened a community discussion here on the newgrp issue, let's see if anyone gives us a potential solution.

barrettj12 avatar Nov 28 '22 06:11 barrettj12

@balchua I wonder if this will work?

barrettj12 avatar Jan 16 '23 23:01 barrettj12

Thanks @barrettj12 i can definitely give this a try.

balchua avatar Jan 17 '23 00:01 balchua

Thanks @barrettj12 i tried the link provided. So far the method works on classic mode.

Unfortunately, it fails installing microk8s with strict mode with this error.

error: cannot perform the following tasks:
- Mount snap "microk8s" (4249) (cannot ensure users for snap "microk8s" required system username "snap_microk8s": cannot add user/group "snap_microk8s": group exists and user does not)

balchua avatar Jan 22 '23 03:01 balchua