k8s-operator-node icon indicating copy to clipboard operation
k8s-operator-node copied to clipboard

Published 20 hours ago verified publisher icon dot-i

Watch resource with 403 Forbidden error

Open rdonadono opened this issue 3 years ago • 0 comments

Hi,

there is some kind of incompatibility between k8s versions for the watchResource() observer?

I released an operator that monitors the events of some custom resources and in cluster 1.21.x it works, while in cluster 1.18.x it doesn't.

I get a generic 403 Forbidden error when I try to watch the resources.

The service account with which the operator runs has all verbs enabled and if queried directly, using the same service account, the k8s API respond correctly without any kind of permission problem.

[info][2021-09-03T14:58:27.563Z] [K8S Main Operator] Operator start - undefined
[info][2021-09-03T14:58:27.765Z] watching resource lambdas.company.org/v1 - undefined
[error][2021-09-03T14:58:29.142Z] watch on resource lambdas.company.org/v1 failed: {"name":"Error","message":"Forbidden","stack":"Error: Forbidden\n    at Request.<anonymous> (/operator/main.js:159289:35)\n    at Request.emit (events.js:400:28)\n    at Request../node_modules/request/request.js.Request.onRequestResponse (/operator/main.js:253512:10)\n    at ClientRequest.emit (events.js:400:28)\n    at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:647:27)\n    at HTTPParser.parserOnHeadersComplete (_http_common.js:126:17)\n    at TLSSocket.socketOnData (_http_client.js:515:22)\n    at TLSSocket.emit (events.js:400:28)\n    at addChunk (internal/streams/readable.js:290:12)\n    at readableAddChunk (internal/streams/readable.js:265:9)"} - undefined

> kubectl auth can-i --list -n devel --as system:serviceaccount:devel:default
Resources                                       Non-Resource URLs   Resource Names         Verbs
routes.company.org                              []                  []                     [*]
functions.company.org                           []                  []                     [*]
lambdas.company.org                             []                  []                     [*]
selfsubjectaccessreviews.authorization.k8s.io   []                  []                     [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []                     [create]
                                                [/api/*]            []                     [get]
                                                [/api]              []                     [get]
                                                [/apis/*]           []                     [get]
                                                [/apis]             []                     [get]
                                                [/healthz]          []                     [get]
                                                [/healthz]          []                     [get]
                                                [/livez]            []                     [get]
                                                [/livez]            []                     [get]
                                                [/openapi/*]        []                     [get]
                                                [/openapi]          []                     [get]
                                                [/readyz]           []                     [get]
                                                [/readyz]           []                     [get]
                                                [/version/]         []                     [get]
                                                [/version/]         []                     [get]
                                                [/version]          []                     [get]
                                                [/version]          []                     [get]

Some idea?

Thanks!

rdonadono avatar Sep 03 '21 15:09 rdonadono