Flux: Error from server (Forbidden): error when retrieving current configuration
Describe the bug
Flux cannot read cluster ressources
To Reproduce
kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.7", GitCommit:"4683545293d792934a7a7e12f2cc47d20b2dd01b", GitTreeState:"clean", BuildDate:"2019-06-06T01:46:52Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.7-gke.8", GitCommit:"7d3d6f113e933ed1b44b78dff4baf649258415e5", GitTreeState:"clean", BuildDate:"2019-06-19T16:37:16Z", GoVersion:"go1.11.5b4", Compiler:"gc", Platform:"linux/amd64"}
I have a GKE Cluster and installed flux standalone with kubectl apply -f deply/
Expected behavior
Flux can read and update resources
Logs
ts=2019-08-21T03:26:21.816681886Z caller=sync.go:545 method=Sync cmd="kubectl apply -f -" took=284.150611ms err="running kubectl: Error from server (Forbidden): error when retrieving current configuration of:\nResource: \"/v1, Resource=services\", GroupVersionKind: \"/v1, Kind=Service\"\nName: \"locust\", Namespace: \"build\"\nObject: &{map[\"apiVersion\":\"v1\" \"kind\":\"Service\" \"metadata\":map[\"annotations\":map[\"flux.weave.works/sync-checksum\":\"f529cf315921fadb0e79e57e47fae7d8d6f37c66\" \"kubectl.kubernetes.io/last-applied-configuration\":\"\"] \"labels\":map[\"flux.weave.works/sync-gc-mark\":\"sha256.1BUVLo8XTA-eTCHHkykTtrR7fEIpqDRtgiZCKk-z0zY\" \"run\":\"locust\"] \"name\":\"locust\" \"namespace\":\"build\"] \"spec\":map[\"ports\":[map[\"port\":'\\u1f99' \"protocol\":\"TCP\" \"targetPort\":'\\u1f99']] \"selector\":map[\"run\":\"locust\"] \"sessionAffinity\":\"None\" \"type\":\"ClusterIP\"]]}\nfrom server for: \"STDIN\": services \"locust\" is forbidden: User \"system:serviceaccount:build:flux\" cannot get resource \"services\" in API group \"\" in the namespace \"build\"" output=
Additional context
Add any other context about the problem here, e.g
- Flux version: master branch
- Helm Operator version: N/A
- Kubernetes version: 1.13
- Git provider:
- Container registry provider: Docker Hub
MehrCurry
All 8 comments
After investigation the issue a little bit more it seems that the service account can not read ressources "apps" and "extensions".
cannot get resource "deployments" in API group "apps" in the namespace "build"
and
cannot get resource "deployments" in API group "extensions" in the namespace "build"
I installed flux in our 'build' namespace with
kubectl apply -n build -f deploy
Perhaps that is the reason because the ClusterRoleBinding in flux-account.yaml references a service account in the default namespace:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flux
subjects:
- kind: ServiceAccount
name: flux
namespace: default
Yes, that's the reason
2opremio
on 21 Aug 2019
Instead of using the deploy directory you can use fluxctl install --namespace build | kubectl apply -f -
2opremio
on 21 Aug 2019
@2opremio fluxctl install is not yet released.
stefanprodan
on 21 Aug 2019
Well, it is now :)
2opremio
on 21 Aug 2019
@MehrCurry My answer applies after you install fluxctl version 1.14.0
2opremio
on 21 Aug 2019
Closing, since I think we have addressed the issue. That said, @MehrCurry please comment if you have any further questions on the same issue.
2opremio
on 21 Aug 2019
Related issues
eimarfandino
路
3Comments
pmarkus
路
4Comments
mar1n3r0
路
4Comments
IsNull
路
4Comments
javefang
路
4Comments
Most helpful comment
Well, it is now :)