local-path-provisioner icon indicating copy to clipboard operation
local-path-provisioner copied to clipboard

Published 20 hours ago verified publisher icon rancher

error retrieving resource lock local-path-storage/rancher.io-local-path

Open Antonyab opened this issue 5 years ago • 5 comments

Hello,

I am using the local path provisionner as mentioned.

It worked and the local volume persistent storage is created locally on the nodes where the pods are deployed.

After a while, I tried to create a new pvc and I detected that the local path storage pod is showing an error that is repeating each 2 seconds :

E0624 12:05:54.771144 1 leaderelection.go:331] error retrieving resource lock local-path-storage/rancher.io-local-path: endpoints “rancher.io-local-path” is forbidden: User “system:serviceaccount:local-path-storage:local-path-provisioner-service-account” cannot get resource “endpoints” in API group “” in the namespace "local-path-storage"

If I try to bind a new pvc that I created with a pod, the local persistent volume is not created. But it is mentioned that it is bount when I list pv and pvc.

Anyone can help me fix this issue ?

Thank you in advance.

Regards, Antony

Antonyab avatar Jul 08 '20 09:07 Antonyab

@Antonyab It seems you didn't apply the RBAC rule correctly. Can you try to reapply the following part of yaml?

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: local-path-provisioner-role
rules:
- apiGroups: [""]
  resources: ["nodes", "persistentvolumeclaims"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["endpoints", "persistentvolumes", "pods"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: local-path-provisioner-bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
  name: local-path-provisioner-service-account
  namespace: local-path-storage

yasker avatar Jul 08 '20 15:07 yasker

It worked ! Thank you.

But I find this error a little bit weird because when I applied the yaml file the first time it worked.

After some time it stopped working. Do you know what could be the reason of this issue?

Thank you again for your help.

Antonyab avatar Jul 08 '20 15:07 Antonyab

Might be it got deleted by accident? Probably want to check other components in the yaml if they're still there.

yasker avatar Jul 08 '20 16:07 yasker

For your info, the problem is still reproducing.

But when I apply again the yaml file, it works again. As you mentioned, this component clusterrolebinding.rbac.authorization.k8s.io is configured when I apply the yaml file. clusterrolebinding.rbac.authorization.k8s.io/local-path-provisioner-bind configured

I am sure that I am not deleting by accident.

If you need any other information, dont hesistate to ask me.

Regards,

Antonyab avatar Jul 20 '20 13:07 Antonyab

@Antonyab Local path provisioner won't delete the clusterrolebinding. I am almost sure there is something else deleting it, might be some malfunctioned security feature or other app or admin?

yasker avatar Jul 20 '20 17:07 yasker