Charts: [stable/spinnaker] User "system:serviceaccount:spinnaker:default" cannot list namespaces at the cluster scope
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT
Version of Helm and Kubernetes:
Helm: 2.9.0
minikube version: v0.26.1
Which chart:
stable/spinnaker
What happened:
The log of the clouddriver pod is showing the following exception:
$ k logs -n spinnaker kubelive-spinnaker-clouddriver-85997f4b64-4m5lt -f
...
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces. Message: Forbidden! Configured service account doesn't have access. Service account may have been revoked. namespaces is forbidden: User "system:serviceaccount:spinnaker:default" cannot list namespaces at the cluster scope.
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:327) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:605) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) ~[kubernetes-client-3.0.3.jar:na]
at io.fabric8.kubernetes.client.dsl.Listable$list.call(Unknown Source) ~[na:na]
at com.netflix.spinnaker.clouddriver.kubernetes.v1.api.KubernetesApiAdaptor$_getNamespacesByName_closure43.doCall(KubernetesApiAdaptor.groovy:408) ~[clouddriver-kubernetes-1.775.0-SNAPSHOT.jar:1.775.0-SNAPSHOT]
at com.netflix.spinnaker.clouddriver.kubernetes.v1.api.KubernetesApiAdaptor$_getNamespacesByName_closure43.doCall(KubernetesApiAdaptor.groovy) ~[clouddriver-kubernetes-1.775.0-SNAPSHOT.jar:1.775.0-SNAPSHOT]
at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) [groovy-all-2.4.12.jar:2.4.12]
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) [groovy-all-2.4.12.jar:2.4.12]
at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:294) [groovy-all-2.4.12.jar:2.4.12]
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) [groovy-all-2.4.12.jar:2.4.12]
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) [groovy-all-2.4.12.jar:2.4.12]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117) [groovy-all-2.4.12.jar:2.4.12]
at com.netflix.spinnaker.clouddriver.kubernetes.v1.api.KubernetesApiAdaptor.exceptionWrapper(KubernetesApiAdaptor.groovy:97) ~[clouddriver-kubernetes-1.775.0-SNAPSHOT.jar:1.775.0-SNAPSHOT]
... 154 common frames omitted
What you expected to happen:
No such exception to appear in the logs.
How to reproduce it (as minimally and precisely as possible):
Run the latest Helm chart on Minikube:
helm install -n kubelive stable/spinnaker -f ./values.yaml --timeout 1200 --version 0.4.0 --debug --namespace spinnaker
Anything else we need to know:
mrumpf
All 7 comments
How to access the API of the K8s cluster from a pod:
https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
mrumpf
on 10 May 2018
The Spinnaker docs say you need RBAC set up. This chart does not seem to do this correctly. https://www.spinnaker.io/setup/install/providers/kubernetes/ I'm going to try and apply the RBAC and then patch the deployments with the ServiceAccount. Would be nice to get this all as part of the chart.
michaelajr
on 12 May 2018
Hello,
i am having the same blocking issue
trying to deploy spinnaker on a local kub cluster with helm : fabric8 in clouddriver crashing cause using the default svc account, not the one i created as the doc said.
Helm doesn't seem to be able to provide the configuration about clouddriver serviceaccount
did anyone succeed to make it work when having roles limited to the target namespace and not cluster-admin ones ?
demetthyl
on 16 May 2018
+1
workaround:
kubectl create clusterrolebinding spinnaker-default-crbinding --clusterrole cluster-admin --serviceaccount=spinnaker:default
Of course, insecure.
cbonami
on 21 May 2018
@demetthyl I ended up doing the same as @cbonami. Just binding the CR (either cluster-admin or one I created via the docs) to the default svc account. The chart is for QuickStart and evaluation purposes only. I suspect it will never be production grade offering all configuration options. Also notice that the s3 storage is actually Minio and there its no option to change that. So I went with Halyard.
michaelajr
on 21 May 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 19 Aug 2018
This issue is being automatically closed due to inactivity.
stale[bot]
on 2 Sep 2018
Related issues
donkeyx
路
3Comments
out-of-band
路
3Comments
mluedke
路
3Comments
musabmasood
路
3Comments
mickengland
路
3Comments
Most helpful comment
+1
workaround:
kubectl create clusterrolebinding spinnaker-default-crbinding --clusterrole cluster-admin --serviceaccount=spinnaker:default
Of course, insecure.