cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

service account cloud-controller-manager cannot patch service object

Open CCH0124 opened this issue 1 year ago • 1 comments

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug /kind feature

What happened: create a LB follow : https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md

kind: Service
apiVersion: v1
metadata:
  name: external-http-nginx-service
  annotations:
    service.beta.kubernetes.io/openstack-internal-load-balancer: "false"
    loadbalancer.openstack.org/floating-network-id: "7d304522-1456-4aef-b953-c9775e3064f6"
    loadbalancer.openstack.org/floating-subnet-id: "346c6134-c0fd-46ee-9e15-7ddcc9ce18d6"
spec:
  selector:
    app: nginx
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: 80

log

  Warning  SyncLoadBalancerFailed  15s (x4 over 52s)    service-controller  Error syncing load balancer: failed to ensure load balancer: failed to patch service object default/external-http-nginx-service: services "external-http-nginx-service" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default"

Install OCCM using Helm.

$ helm install openstack-ccm cpo/openstack-cloud-controller-manager --version  2.29.1 -n cpo --create-namespace --values openstack-ccm.yaml

What you expected to happen:

How to reproduce it:

Anything else we need to know?:

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: chart version is 2.29.1
  • OpenStack version:
  • Others:

CCH0124 avatar Mar 01 '24 11:03 CCH0124

@dulek does this sounds familiar to you? I think you created multiple SVC on LB time to time

"system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services"

this seems reported before long time ago, but not sure it's same root cause , have you manually tried update the role/rolebinding to make sure we can workaround and may check what's missing there ?

jichenjc avatar Mar 04 '24 08:03 jichenjc

@jichenjc The serviceaccount service is the default content of the system. I haven't manually tried update the role/rolebinding.

CCH0124 avatar Mar 11 '24 02:03 CCH0124

@jichenjc I installed the openstack-cloud-controller-manager chart in the kube-system namespace. It works.

CCH0124 avatar Mar 17 '24 05:03 CCH0124

Yeah, I've seen that I think there are 2 service accounts used by the CCM. One is this kube-system:cloud-controller-manager and used by OCCM. The other one lives in our namespace and is used by cloud-provider code. We suffer from this in OpenShift too and need to update it additionally: https://github.com/openshift/cluster-cloud-controller-manager-operator/blob/master/manifests/0000_26_cloud-controller-manager-operator_04_rbac_provider_openstack.yaml#L1-L10. I would say this is a valid bug and we should discover why kube-system is ever used by our code.

dulek avatar Apr 10 '24 14:04 dulek

Okay, I might have found the culprit. Won't have time to test it right now, @CCH0124, if you can check that it helps, we might just merge it.

dulek avatar Apr 10 '24 15:04 dulek

@MaysaMacedo, you might be intrigued by this too.

dulek avatar Apr 10 '24 15:04 dulek

@dulek I will check it this week. 👍 Thanks.

CCH0124 avatar Apr 12 '24 02:04 CCH0124