Skip to content
This repository has been archived by the owner on Oct 21, 2020. It is now read-only.

efs-provisioner: error retrieving resource lock - endpoint is forbidden #1209

Closed
richstokes opened this issue Aug 16, 2019 · 9 comments
Closed
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@richstokes
Copy link

Using AWS EFS.

Followed instructions (https://github.com/kubernetes-incubator/external-storage/tree/master/aws/efs), applied RBAC yaml. But getting this in the efs-provisioner logs:

E0816 19:25:11.059420       1 leaderelection.go:252] error retrieving resource lock default/company.io-efs: endpoints "company.io-efs" is forbidden: User "system:serviceaccount:default:default" cannot get resource "endpoints" in API group "" in the namespace "default"

What am I/the docs missing here?

@richstokes richstokes changed the title error retrieving resource lock error retrieving resource lock - endpoint is forbidden Aug 16, 2019
@richstokes richstokes changed the title error retrieving resource lock - endpoint is forbidden efs-provisioner: error retrieving resource lock - endpoint is forbidden Aug 16, 2019
@richstokes
Copy link
Author

richstokes commented Aug 16, 2019

Got it working by changing the RBAC to:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-provisioner-runner
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-efs-provisioner
subjects:
  - kind: ServiceAccount
    name: efs-provisioner
     # replace with namespace where provisioner is deployed
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
# ---
# kind: Role
# apiVersion: rbac.authorization.k8s.io/v1
# metadata:
#   name: leader-locking-efs-provisioner
# rules:
#   - apiGroups: [""]
#     resources: ["endpoints"]
#     verbs: ["get", "list", "watch", "create", "update", "patch"]
# ---
# kind: RoleBinding
# apiVersion: rbac.authorization.k8s.io/v1
# metadata:
#   name: leader-locking-efs-provisioner
# subjects:
#   - kind: ServiceAccount
#     name: efs-provisioner
#     # replace with namespace where provisioner is deployed
#     namespace: default
# roleRef:
#   kind: Role
#   name: leader-locking-efs-provisioner
#   apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: efs-provisioner

And adding the service account to the manifest.yaml

   spec:
      serviceAccount: efs-provisioner
      containers:
        - name: efs-provisioner
          image: quay.io/external_storage/efs-provisioner:latest

^^ Found this in an old ticket (#953), but doesn't look like a fix was ever rolled out. Would be worth integrating these fixes as its quite annoying following docs and example yamls that are out of date and wrong.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 14, 2019
@AdapptGru
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 3, 2019
@AdapptGru
Copy link

Hit this just & @richstokes comment fixed it. The docs can seriously do with some updates.

@wavetylor
Copy link

This is likely due to the efs-provisioner's deployment being in the non-default namespace.
If you deploy efs-provisioner into a namespace other than default, you need to also add the namespace to the Role and RoleBinding

@boomshadow
Copy link

@wavetylor Thank you so much for posting! That's what I needed. Added the namespace to the Role and RoleBinding fixed my issue!

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 8, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 8, 2020
@nikhita
Copy link
Member

nikhita commented Aug 7, 2020

Thanks for reporting the issue!

This repo is no longer being maintained and we are in the process of archiving this repo. Please see kubernetes/org#1563 for more details.

If your issue relates to nfs provisioners, please create a new issue in https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner or https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner.

Going to close this issue in order to archive this repo. Apologies for the churn and thanks for your patience! 🙏

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

7 participants