Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EG failed on multi-tenancy example #2430

Closed
shawnh2 opened this issue Jan 11, 2024 · 1 comment · Fixed by #2431
Closed

EG failed on multi-tenancy example #2430

shawnh2 opened this issue Jan 11, 2024 · 1 comment · Fixed by #2431
Assignees
@shawnh2
Labels
area/installation documentation Improvements or additions to documentation kind/bug Something isn't working

Comments

@shawnh2
Copy link
Contributor

shawnh2 commented Jan 11, 2024

Description:

the GatewayClass failed to be accepted on multi-tenancy example.

rolling EG logs, we got:

W0111 10:28:02.676452       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ReferenceGrant: referencegrants.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:marketing:envoy-gateway" cannot list resource "referencegrants" in API group "gateway.networking.k8s.io" at the cluster scope
E0111 10:28:02.676510       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ReferenceGrant: failed to list *v1beta1.ReferenceGrant: referencegrants.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:marketing:envoy-gateway" cannot list resource "referencegrants" in API group "gateway.networking.k8s.io" at the cluster scope
W0111 10:28:04.988572       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha2.TLSRoute: tlsroutes.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:marketing:envoy-gateway" cannot list resource "tlsroutes" in API group "gateway.networking.k8s.io" at the cluster scope
E0111 10:28:04.988657       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha2.TLSRoute: failed to list *v1alpha2.TLSRoute: tlsroutes.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:marketing:envoy-gateway" cannot list resource "tlsroutes" in API group "gateway.networking.k8s.io" at the cluster scope
...

seems that the namespaced watch mode are not effected.

Repro steps:

follow the steps from https://gateway.envoyproxy.io/latest/user/deployment-mode/#multi-tenancy

Environment:

latest
@shawnh2 shawnh2 added kind/bug Something isn't working documentation Improvements or additions to documentation area/installation labels Jan 11, 2024
@shawnh2 shawnh2 self-assigned this Jan 11, 2024
@shawnh2
Copy link
Contributor Author

shawnh2 commented Jan 11, 2024

The helm rbac is ok!

But the watch mode api has been changed,

gateway/api/v1alpha1/envoygateway_types.go

Line 212 in c9d5e33

type KubernetesWatchMode struct {

So the doc should also be updated to:

helm install --set config.envoyGateway.gateway.controllerName=gateway.envoyproxy.io/marketing-gatewayclass-controller --set config.envoyGateway.provider.kubernetes.watch.namespaces={marketing} --set config.envoyGateway.provider.kubernetes.watch.type=Namespaces eg-marketing oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n marketing --create-namespace

@shawnh2 shawnh2 mentioned this issue Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shawnh2 shawnh2

Labels
area/installation documentation Improvements or additions to documentation kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add validation for envoy gateway watch mode field and update doc shawnh2/gateway
1 participant
@shawnh2