registry-creds icon indicating copy to clipboard operation
registry-creds copied to clipboard

Published 20 hours ago verified publisher icon upmc-enterprises

v1. Namespace is forbidden: User cannot list resource "namespaces" in API group.

Open marcgarciajr opened this issue 3 years ago • 10 comments

Any idea why would this happen? Seems like the Go app can't list the namespaces. What can I do in this case?

It is configured for AWS ECR the same registry works fine on minikube, but in dev cluster, it doesn't.

Here is the error:

`time="2020-10-21T05:10:45Z" level=info msg="Starting up..." time="2020-10-21T05:10:45Z" level=info msg="Using AWS Account: 81xxxxxxxx" time="2020-10-21T05:10:45Z" level=info msg="Using AWS Region: ca-central-1" time="2020-10-21T05:10:45Z" level=info msg="Using AWS Assume Role: arn:aws:iam::81xxxxxxx:role/xxxxxxxxxx" time="2020-10-21T05:10:45Z" level=info msg="Refresh Interval (minutes): 60" time="2020-10-21T05:10:45Z" level=info msg="Retry Timer: simple" time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retries: 3" time="2020-10-21T05:10:45Z" level=info msg="Token Generation Retry Delay (se

ERROR: logging before flag.Parse: E1021 05:11:37.436054 1 reflector.go:199] github.com/upmc-enterprises/registry-creds/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope`

It is on an infinite loop outputting the error above.

marcgarciajr avatar Oct 21 '20 05:10 marcgarciajr

I am also intermittently encountering this when running in minikube.

minikube version: v1.14.2
commit: 2c82918e2347188e21c4e44c8056fc80408bce10

briprowe avatar Nov 10 '20 20:11 briprowe

Running into this with K3s in an on-premise setup as well..

KennyReeldata avatar Nov 26 '20 15:11 KennyReeldata

You have to allow the serviceaccount that you are using to list some resources from kubernetes otherwise it will fail like yours it's failing. It is failing because doesnt have the enough permissions to be able to do some actions (in th is case list all the namespaces). You can define new permissions or create anoñther serviceAccount to avoid editing the default one that comes from Kubernetes.

Keralin avatar Dec 10 '20 17:12 Keralin

What is the permissions that this app need? Do you assume that it should run as admin?

lackhoa avatar Dec 21 '20 04:12 lackhoa

What is the permissions that this app need? Do you assume that it should run as admin?

No that's wrong, you should'nt run as admin. In my case I added the permissions: namespace: list, get, watch secrets: get, list, watch, create, update, patch and delete serviceaccount: all the permissions.

Remember that the app list all namespaces, and updates or creates secrets to that namespace with the secrets to allow that namespace to dowload the images from the private repository

Keralin avatar Dec 21 '20 09:12 Keralin

@Keralin What do you mean "in your case"? Are there different use cases? I read that only the default serviceAccount is mutated, so do we really need all the permissions for all serviceAccounts?

lackhoa avatar Dec 21 '20 09:12 lackhoa

@lackhoa Sorry for the delay, I just added to this PR with the files you will need. https://github.com/upmc-enterprises/registry-creds/pull/103

Keralin avatar Jul 20 '21 14:07 Keralin

i only configured the secrests.yml and deployment.yml for AWS ECR and got the following error in the pod

 Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope

ac5tin avatar Apr 07 '22 14:04 ac5tin

@ac5tin I think you are missing the api_groups = "" permission

kaiffeetasse avatar May 10 '22 15:05 kaiffeetasse

https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-object-access-error/

motoshkov avatar Jul 04 '22 12:07 motoshkov