Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client.Get() requires watch permission #1156

Closed
kapilpau opened this issue Sep 9, 2020 · 11 comments
Closed

client.Get() requires watch permission #1156

kapilpau opened this issue Sep 9, 2020 · 11 comments

Comments

@kapilpau
Copy link

kapilpau commented Sep 9, 2020

When trying to call client.Get(), if you don't have watch permissions for the resource, you get the following error, example get StorageClass:

pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:105: Failed to watch *v1.StorageClass: unknown (get storageclasses.storage.k8s.io)

Why does get require watch permission? It shouldn't be watching any resources

@dvob
Copy link
Contributor

dvob commented Oct 18, 2020

How does your code look like?

@camilamacedo86
Copy link
Member

I understand that because of the cache the WACTH permission/verb is required.

@coderanger
Copy link
Contributor

This is indeed normal and expected. If you want to make an uncached request, you can make a new client object instead.

@kapilpau
Copy link
Author

@coderanger can we do that from the existing client?

@dvob
Copy link
Contributor

dvob commented Oct 20, 2020

I think you get this error already during startup and not really on the client.Get() call. If you create a controller for certain resources, it is normal that the controller manager starts to watch and list all resources that it can start the reconciliation if a resource changes (create/update/delete).
If you don't have a controller for that resource (which means no watch) you should be able to run client.Get() without watch permission.

@dvob
Copy link
Contributor

dvob commented Oct 20, 2020

Ok, I am probably wrong. If I understood #1222 correctly it seems that if you use Get or List on a resource for the first time it automatically gets added to the the informers which means it starts to watch that resource.

@kapilpau
Copy link
Author

How can we prevent this? We want to be able to get an object by name without having watch permissions but currently cannot do that

@coderanger
Copy link
Contributor

Use a non-caching client. Right now you, somewhere, have some code like Client: mgr.GetClient(). Change that to more like Client: client.New(mgr.GetConfig(), client.Options{Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper()}). That will give you a non-cached client. Just keep in mind that means you lose the benefits of caching. And of course you need watch permissions on anything in a For() or Owns() watch request.

@kapilpau
Copy link
Author

Ok, thank you

@coderanger
Copy link
Contributor

/close

@k8s-ci-robot
Copy link
Contributor

@coderanger: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

mresvanis added a commit to mresvanis/kernel-module-management that referenced this issue Dec 2, 2022
This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>
k8s-ci-robot pushed a commit to kubernetes-sigs/kernel-module-management that referenced this issue Dec 2, 2022
)

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>

Signed-off-by: Michail Resvanis <[email protected]>
qbarrand pushed a commit to qbarrand/rh-kernel-module-management that referenced this issue Dec 7, 2022
…h-ecosystem-edge#179)

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>

Upstream-Commit: dedee81
openshift-merge-robot pushed a commit to rh-ecosystem-edge/kernel-module-management that referenced this issue Dec 7, 2022
) (#225)

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>

Upstream-Commit: dedee81

Co-authored-by: Michail Resvanis <[email protected]>
github-actions bot pushed a commit to ybettan/kernel-module-management-midstream that referenced this issue Dec 14, 2022
…h-ecosystem-edge#179)

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>

Signed-off-by: Michail Resvanis <[email protected]>

Upstream-Commit: dedee81
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants