Skip to content
This repository was archived by the owner on Mar 28, 2024. It is now read-only.

failed to list *v1alpha1.KluctlDeployment: kluctldeployments.flux.kluctl.io is forbidden #28

Open
lictw opened this issue Nov 30, 2022 · 7 comments
Open

failed to list *v1alpha1.KluctlDeployment: kluctldeployments.flux.kluctl.io is forbidden #28

lictw opened this issue Nov 30, 2022 · 7 comments

Comments

@lictw
Copy link

lictw commented Nov 30, 2022

Controller Version

v0.9.0

Kubernetes Version

v1.21.14

Bug description

failed to list *v1alpha1.KluctlDeployment: kluctldeployments.flux.kluctl.io is forbidden: User "system:serviceaccount:flux-system:flux-kluctl-controller" cannot list resource "kluctldeployments" in API group "flux.kluctl.io" at the cluster scope

Steps to reproduce

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- https://github.com/kluctl/flux-kluctl-controller/config/install?ref=v0.9.0
namespace: flux-system

Relevant log output

W1130 19:03:36.954357       1 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1alpha1.KluctlDeployment: kluctldeployments.flux.kluctl.io is forbidden: User "system:serviceaccount:flux-system:flux-kluctl-controller" cannot list resource "kluctldeployments" in API group "flux.kluctl.io" at the cluster scope
E1130 19:03:36.954385       1 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1alpha1.KluctlDeployment: failed to list *v1alpha1.KluctlDeployment: kluctldeployments.flux.kluctl.io is forbidden: User "system:serviceaccount:flux-system:flux-kluctl-controller" cannot list resource "kluctldeployments" in API group "flux.kluctl.io" at the cluster scope
@codablock
Copy link
Contributor

@lictw Do you have a cluster-admin ClusterRole defined inside your cluster?

@lictw
Copy link
Author

lictw commented Nov 30, 2022

Ofcourse.

$ kubectl get clusterroles.rbac.authorization.k8s.io cluster-admin 
NAME            CREATED AT
cluster-admin   2020-11-11T12:32:12Z

@codablock
Copy link
Contributor

Strange, I'm not able to reproduce this with a fresh Kind cluster. Does happen for specific KluctlDeployments or always? I would also assume that happens before any deployments are applied...

@lictw
Copy link
Author

lictw commented Dec 1, 2022

I don't understand how it works for you..

Controller uses flux-kluctl-controller SA and it doesn't have binding with cluster-admin, while there is binding flux-kluctl-cluster-reconciler for cluster-admin role, but it refers SA controller:

$ kubectl get clusterrolebindings.rbac.authorization.k8s.io flux-kluctl-cluster-reconciler -o json | jq .subjects
[
  {
    "kind": "ServiceAccount",
    "name": "controller",
    "namespace": "flux-system"
  }
]

Kustomize doesn't path subjects along with namePrefix.

@lictw
Copy link
Author

lictw commented Dec 1, 2022

I installed helm chart as a workaround and it works.

@codablock
Copy link
Contributor

@lictw which Kustomize version are you using? I remember vaguely that Kustomize had a bug in the past that caused namePrefixes to be broken in combination with SAs.

@lictw
Copy link
Author

lictw commented Dec 2, 2022

I'm using latest Flux, seems like that https://github.com/fluxcd/kustomize-controller/blob/main/CHANGELOG.md#0270 (v4.5.7).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codablock @lictw