opencost
opencost copied to clipboard
opencost
Opencost deployment fails while restricting the scope of serviceaccount to a single namespace rather than cluster wide
Describe the bug I need to deploy the opencost onto an existing namespace with the cluster and the requirement is that the opencost needs to fetch cost metrics from only the namespace in which it has been deployed and NOT cluster-wide. So I changed the existing Cluster role into a Role , changed the resources accordingly and assigned it to the serviceaccount.
But while deploying the opencost , I get the forbidden error for the serviceaccount from the pod even though I use the above service account to deploy the pod . Does opencost need cluster role? Or is there an alternative that I could try to get it working? Please let me know.
Steps to reproduce the behavior:
- Edit the Opencost deployment mainfest file
- Change the kind to ClusterRole to Role
- Change the resources to namespaced one
- Deploy the manifest file into kubernetes cluster
- The pod throws the errors
Expected behavior Opencost to be running within an existing namespace without issues.
Screenshots
RBAC details
$ k describe role opencost-custom
Name: opencost-custom
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
limitranges [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas [] [] [get list watch]
services [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
daemonsets.apps [] [] [list watch]
deployments.apps [] [] [list watch]
replicasets.apps [] [] [list watch]
statefulsets.apps [] [] [list watch]
$ k describe rolebinding opencost-custom
Name: opencost-custom
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: opencost-custom
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount opencost-custom dashboard
Error message
E0309 19:05:46.243043 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1.ReplicationController: failed to list *v1.ReplicationController: replicationcontrollers is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "replicationcontrollers" in API group "" at the cluster scope W0309 19:05:47.123789 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "services" in API group "" at the cluster scope E0309 19:05:47.123818 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "services" in API group "" at the cluster scope W0309 19:05:48.528041 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "pods" in API group "" at the cluster scope E0309 19:05:48.528069 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "pods" in API group "" at the cluster scope W0309 19:05:50.022959 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0309 19:05:50.022997 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0309 19:05:53.264829 1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1.StorageClass: unknown (get [storageclasses.storage.k8s.io](http://storageclasses.storage.k8s.io/)) W0309 19:06:06.083843 1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:dashboard:opencost-custom" cannot list resource "persistentvolumes" in API group "" at the cluster scope
Which version of OpenCost are you using? latest version
Additional context This error has been reported on local kubernetes cluster (docker-desktop) and also in Openshift platform.
This isn't currently supported @karthiravich . I think it's something we can look to add in the future. cc @kwombach12
This isn't currently supported @karthiravich . I think it's something we can look to add in the future. cc @kwombach12
Thanks for the update @AjayTripathy
I'm closing this as "won't fix" because there's not a lot of value in calculating the cost of only the contents of a single namespace vs. the amount of code changes and testing that would need to be done to support this. Without a PR and extensive tests I don't see this happening.
