You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After installing yatai-deployment 1.1.16 via helm with mostly default values (only added enableRestrictedSecurityContext: true), the yatai-deployment pod logs show that it failed to list secrets in yatai-system:
yatai-deployment-8586fcd67c-hn65b manager E1107 21:25:58.840002 1 reflector.go:140] pkg/mod/k8s.io/client-go@v0.25.0/tools/cache/reflector.go:169: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:yatai-deployment:yatai-deployment" cannot list resource "secrets" in API group "" in the namespace "yatai-system"
I could see that a Role and RoleBinding for it had been created by helm that should give get/list/watch for the two secrets called yatai-common-env and yatai-deployment-shared-env but it seems that is not enough. I had to manually create a Role and RoleBinding to give access to all secrets in yatai-system namespace to fix this.
Then more errors appeared, failing to list other resources e.g.:
yatai-deployment-8586fcd67c-hn65b manager E1107 21:35:18.742937 1 reflector.go:140] pkg/mod/k8s.io/client-go@v0.25.0/tools/cache/reflector.go:169: Failed to watch *v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:yatai-deployment:yatai-deployment" cannot list resource "deployments" in API group "apps" in the namespace "yatai-system"
yatai-deployment-8586fcd67c-hn65b manager W1107 21:35:21.361358 1 reflector.go:424] pkg/mod/k8s.io/client-go@v0.25.0/tools/cache/reflector.go:169: failed to list *v1alpha1.Bento: bentoes.resources.yatai.ai is forbidden: User "system:serviceaccount:yatai-deployment:yatai-deployment" cannot list resource "bentoes" in API group "resources.yatai.ai" in the namespace "yatai-system"
yatai-deployment-8586fcd67c-hn65b manager E1107 21:35:21.361441 1 reflector.go:140] pkg/mod/k8s.io/client-go@v0.25.0/tools/cache/reflector.go:169: Failed to watch *v1alpha1.Bento: failed to list *v1alpha1.Bento: bentoes.resources.yatai.ai is forbidden: User "system:serviceaccount:yatai-deployment:yatai-deployment" cannot list resource "bentoes" in API group "resources.yatai.ai" in the namespace "yatai-system"
yatai-deployment-8586fcd67c-hn65b manager W1107 21:35:21.383532 1 reflector.go:424] pkg/mod/k8s.io/client-go@v0.25.0/tools/cache/reflector.go:169: failed to list *v2alpha1.BentoDeployment: bentodeployments.serving.yatai.ai is forbidden: User "system:serviceaccount:yatai-deployment:yatai-deployment" cannot list resource "bentodeployments" in API group "serving.yatai.ai" in the namespace "yatai-system"
(...)
To fix this, I had to add yatai-system to the values.bentoDeploymentNamespaces which creates the appropriate Role/RoleBinding for all these resources ie
After installing yatai-deployment 1.1.16 via helm with mostly default values (only added
enableRestrictedSecurityContext: true
), the yatai-deployment pod logs show that it failed to list secrets inyatai-system
:I could see that a Role and RoleBinding for it had been created by helm that should give get/list/watch for the two secrets called
yatai-common-env
andyatai-deployment-shared-env
but it seems that is not enough. I had to manually create a Role and RoleBinding to give access to all secrets inyatai-system
namespace to fix this.Then more errors appeared, failing to list other resources e.g.:
To fix this, I had to add
yatai-system
to the values.bentoDeploymentNamespaces which creates the appropriate Role/RoleBinding for all these resources ieHowever, I suspect that this should not happen if bentos are supposed to be deployed in
yatai
namespace only, notyatai-system
?The text was updated successfully, but these errors were encountered: