metrics-server icon indicating copy to clipboard operation
metrics-server copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Align RBAC between chart and kustomize

Open drGrove opened this issue 2 years ago • 7 comments

Remove discrepency between helm chart and kustomization for RBAC where namespace and configmap are missing. Without configmap permission metrics-server will CrashloopBackoff

Signed-off-by: Danny Grove [email protected]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Fixes issue where using release kustomize overlay causes Crashloopbackoff

drGrove avatar Aug 20 '22 18:08 drGrove

Welcome @drGrove!

It looks like this is your first PR to kubernetes-sigs/metrics-server 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/metrics-server has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

k8s-ci-robot avatar Aug 20 '22 18:08 k8s-ci-robot

Hi @drGrove. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 20 '22 18:08 k8s-ci-robot

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: drGrove Once this PR has been reviewed and has the lgtm label, please assign serathius for approval by writing /assign @serathius in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Aug 20 '22 18:08 k8s-ci-robot

/assign @serathius

drGrove avatar Aug 21 '22 00:08 drGrove

These permissions are not needed by metrics-server. They were present a while back to make the e2e tests pass but in #799 it was proven that they are not necessary anymore.

dgrisonnet avatar Aug 21 '22 20:08 dgrisonnet 

panic: unable to load configmap based request-header-client-ca-file: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:metrics-server:metrics-server" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

This is on a default install of the kustomization to the namespace metrics-server

drGrove avatar Aug 21 '22 22:08 drGrove

The extension-apiserver-authentication configmap is not created by default when you create a Kubernetes cluster with the default kube-apiserver options. It is only created if you setup apiserver client authentication as mentioned here: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#kubernetes-apiserver-client-authentication.

As such, the default manifests provided by metrics-server shouldn't need access to any configmap of the cluster.

Also, it might be worth mentioning that the recommended way to grant access to the extension-apiserver-authentication configmap is by creating a role binding from the service account in metrics-server's namespace to the extension-apiserver-authentication-reader role.

dgrisonnet avatar Aug 23 '22 13:08 dgrisonnet

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 21 '22 14:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 21 '22 15:12 k8s-triage-robot