k9s icon indicating copy to clipboard operation
k9s copied to clipboard
verified publisher icon derailed

Triggering a CronJob fails as Unauthorized since v0.50

Open tompazourek opened this issue 7 months ago • 6 comments




Describe the bug Triggering a CronJob fails as Unauthorized in v0.50.6, but works fine in v0.32.5

To Reproduce Steps to reproduce the behavior:

  1. Go to CronJobs
  2. Press t to trigger and confirm the dialog
  3. In latest k9s (v0.50.6), I get CronJob trigger failed for xxx: user is not authorized to run jobs. But in an older k9s version (v0.32.5), it triggers and runs just fine.

Historical Documents n/a

Expected behavior CronJob can be triggered in the new k9s version the same way as it was able to trigger it in the old k9s version.

Screenshots n/a

Versions (please complete the following information):

  • OS: Windows, but also macOS
  • K9s: v0.50.6
  • K8s: v1.31.7-eks-bcf3d70

Additional context This is happening not just on my machine, but also for my colleagues.

tompazourek avatar Jun 04 '25 06:06 tompazourek

@tompazourek Can't seem to repro. Could you had the relevant debug logs. Thank you!

derailed avatar Jun 08 '25 12:06 derailed

@tompazourek Can't seem to repro. Could you had the relevant debug logs. Thank you!

I just collected the debug log from v0.50.6 and here it is:

[2m2025-06-09T08:37:11+02:00[0m DBG [CAN] access [2msubsys=[0mclient [2msubsys=[0mcan [2mgvr=[0mbatch/v1/cronjobs [2mns=[0mnsnsnsnsnsnsns [2mres-name=[0mxxxxxxxx-job [2mverb=[0m"[get create]"
[2m2025-06-09T08:37:11+02:00[0m DBG [CAN] reps [2msubsys=[0mclient [2msubsys=[0mcan [2mauth-status=[0mtrue [2mauth-reason=[0m"RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""
[2m2025-06-09T08:37:11+02:00[0m DBG [CAN] access [2msubsys=[0mclient [2msubsys=[0mcan [2mgvr=[0mbatch/v1/cronjobs [2mns=[0mnsnsnsnsnsnsns [2mres-name=[0mxxxxxxxx-job [2mverb=[0m"[get create]"
[2m2025-06-09T08:37:11+02:00[0m DBG [CAN] reps [2msubsys=[0mclient [2msubsys=[0mcan [2mauth-status=[0mfalse [2mauth-reason=[0m""
[2m2025-06-09T08:37:11+02:00[0m [91mERR[0m Flash error [2merror=[0m"`create access denied for user on \"nsnsnsnsnsnsns\":batch/v1/cronjobs" [2mmessage=[0m"CronJob trigger failed for nsnsnsnsnsnsns/xxxxxxxx-job: `create access denied for user on \"nsnsnsnsnsnsns\":batch/v1/cronjobs"

In the old version v0.32.5 where the trigger works fine, I enabled trace logs, as nothing relevant was showing in debug:


[90m8:43AM[0m [34mTRC[0m [CAN] batch/v1/cronjobs("nsnsnsnsnsnsns"/"") <[list]>
[90m8:43AM[0m [34mTRC[0m   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc0006fd030), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
[90m8:43AM[0m [34mTRC[0m   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
[90m8:43AM[0m [34mTRC[0m   <<<nil>>>
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 203.4156ms 
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 127.6742ms 
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 123.2063ms 
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 231.2331ms 
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 230.6915ms 
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 230.8491ms 
[90m8:43AM[0m [34mTRC[0m [CAN] batch/v1/jobs("nsnsnsnsnsnsns"/"xxxxxxxx-job") <[get create]>
[90m8:43AM[0m [34mTRC[0m   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f420), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
[90m8:43AM[0m [34mTRC[0m   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
[90m8:43AM[0m [34mTRC[0m   <<<nil>>>
[90m8:43AM[0m [34mTRC[0m [CAN] batch/v1/jobs("nsnsnsnsnsnsns"/"xxxxxxxx-job") <[get create]>
[90m8:43AM[0m [34mTRC[0m   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f570), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
[90m8:43AM[0m [34mTRC[0m   Auth: true ["RBAC: allowed by RoleBinding \"job-create-delete-poweruser/nsnsnsnsnsnsns\" of Role \"job-create-delete\" to Group \"rrrrrrrrrrrrr\""]
[90m8:43AM[0m [34mTRC[0m   <<<nil>>>
[90m8:43AM[0m [34mTRC[0m [CAN] batch/v1/cronjobs("nsnsnsnsnsnsns"/"") <[get]>
[90m8:43AM[0m [34mTRC[0m   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f730), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
[90m8:43AM[0m [34mTRC[0m   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
[90m8:43AM[0m [34mTRC[0m   <<<nil>>>
[90m8:43AM[0m [34mTRC[0m Refresh [batch/v1/cronjobs](53) 228.6617ms

Hope this helps.

tompazourek avatar Jun 09 '25 06:06 tompazourek

It seems like the old version didn't ask to create cronjobs, only to get cronjobs, but the new version asks for get create cronjobs. And I don't have permissions to get & create cronjobs, only to get & create jobs, and get cronjobs. But the permission shouldn't be needed, if it works without it, right?

tompazourek avatar Jun 09 '25 12:06 tompazourek

I'm also experiencing this issue and I'd prefer not to have to increase my permission scope where not required.

mattb18 avatar Jun 10 '25 13:06 mattb18

@tompazourek Can't seem to repro. Could you had the relevant debug logs. Thank you!

I just collected the debug log from v0.50.6 and here it is:

2025-06-09T08:37:11+02:00 DBG [CAN] access subsys=client subsys=can gvr=batch/v1/cronjobs ns=nsnsnsnsnsnsns res-name=xxxxxxxx-job verb="[get create]"
2025-06-09T08:37:11+02:00 DBG [CAN] reps subsys=client subsys=can auth-status=true auth-reason="RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""
2025-06-09T08:37:11+02:00 DBG [CAN] access subsys=client subsys=can gvr=batch/v1/cronjobs ns=nsnsnsnsnsnsns res-name=xxxxxxxx-job verb="[get create]"
2025-06-09T08:37:11+02:00 DBG [CAN] reps subsys=client subsys=can auth-status=false auth-reason=""
2025-06-09T08:37:11+02:00 ERR Flash error error="`create access denied for user on \"nsnsnsnsnsnsns\":batch/v1/cronjobs" message="CronJob trigger failed for nsnsnsnsnsnsns/xxxxxxxx-job: `create access denied for user on \"nsnsnsnsnsnsns\":batch/v1/cronjobs"

In the old version v0.32.5 where the trigger works fine, I enabled trace logs, as nothing relevant was showing in debug:


8:43AM TRC [CAN] batch/v1/cronjobs("nsnsnsnsnsnsns"/"") <[list]>
8:43AM TRC   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc0006fd030), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
8:43AM TRC   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
8:43AM TRC   <<<nil>>>
8:43AM TRC Refresh [batch/v1/cronjobs](53) 203.4156ms
8:43AM TRC Refresh [batch/v1/cronjobs](53) 127.6742ms
8:43AM TRC Refresh [batch/v1/cronjobs](53) 123.2063ms
8:43AM TRC Refresh [batch/v1/cronjobs](53) 231.2331ms
8:43AM TRC Refresh [batch/v1/cronjobs](53) 230.6915ms
8:43AM TRC Refresh [batch/v1/cronjobs](53) 230.8491ms
8:43AM TRC [CAN] batch/v1/jobs("nsnsnsnsnsnsns"/"xxxxxxxx-job") <[get create]>
8:43AM TRC   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f420), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
8:43AM TRC   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
8:43AM TRC   <<<nil>>>
8:43AM TRC [CAN] batch/v1/jobs("nsnsnsnsnsnsns"/"xxxxxxxx-job") <[get create]>
8:43AM TRC   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f570), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
8:43AM TRC   Auth: true ["RBAC: allowed by RoleBinding \"job-create-delete-poweruser/nsnsnsnsnsnsns\" of Role \"job-create-delete\" to Group \"rrrrrrrrrrrrr\""]
8:43AM TRC   <<<nil>>>
8:43AM TRC [CAN] batch/v1/cronjobs("nsnsnsnsnsnsns"/"") <[get]>
8:43AM TRC   Spec: v1.SelfSubjectAccessReviewSpec{ResourceAttributes:(*v1.ResourceAttributes)(0xc00063f730), NonResourceAttributes:(*v1.NonResourceAttributes)(nil)}
8:43AM TRC   Auth: true ["RBAC: allowed by ClusterRoleBinding \"rrrrrrrrrrrrr\" of ClusterRole \"rrrrrrrrrrrrr\" to Group \"rrrrrrrrrrrrr\""]
8:43AM TRC   <<<nil>>>
8:43AM TRC Refresh [batch/v1/cronjobs](53) 228.6617ms

Hope this helps.

Cleaned up the ASNI color code escape sequences for readability.

vinkmr avatar Jun 11 '25 19:06 vinkmr

The issue is likely a regression caused by the gvr clean up done in Rel v0.50.0:

https://github.com/derailed/k9s/pull/3254/commits/f9116b206aef02be63bac52de46568ca2db626d6#diff-e4cb1fa7f675e48a69e43d6bb2cb86f604b9beffb53bef9fcc0ac2bad8c4be1e

Image

tompazourek avatar Jun 16 '25 07:06 tompazourek

@tompazourek This is exactly right. Thank you for the heads up Tom! Will fix in the next drop.

derailed avatar Jun 26 '25 14:06 derailed