Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error: admission webhook "owner.namespace.capsule.clastix.io" denied the request #478

Closed
tomarent opened this issue Nov 29, 2021 · 8 comments
Closed

error: admission webhook "owner.namespace.capsule.clastix.io" denied the request #478

tomarent opened this issue Nov 29, 2021 · 8 comments
Assignees
@prometherion
Labels
duplicate This issue or pull request already exists

Comments

@tomarent
Copy link

tomarent commented Nov 29, 2021
edited
Loading

Bug description

after upgrading to version v0.1.1-rc0, I receive the following error message:

You do not have any Tenant assigned: please, reach out to the system administrators, error: admission webhook "owner.namespace.capsule.clastix.io" denied the request: You do not have any Tenant assigned: please, reach out to the system administrators

FYI: the reason for trying version v0.1.1-rc0 is because I was facing the issue explained in issue #415

How to reproduce

Steps to reproduce the behavior:

The helmRelease I am using:

        apiVersion: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        metadata:
          name: capsule
          namespace: capsule-system
        spec:
          interval: 10m
          chart:
            spec:
              chart: capsule
              sourceRef:
                kind: HelmRepository
                name: clastix
                namespace: capsule-system
              interval: 10m
          values:
            manager:
              image:
                tag: "v0.1.1-rc0"
              options:
                capsuleUserGroups: ["capsule.clastix.io", "system:serviceaccounts:flux-system"]
                forceTenantPrefix: true
              resources:
                limits:
                  cpu: 200m
                  memory: 256Mi
                requests:
                  cpu: 200m
                  memory: 256Mi
            serviceAccount:
              name: "capsule-service-account"                  
            webhooks:
              cordoning:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists
              ingresses:
                namespaceSelector:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists
              networkpolicies:
                namespaceSelector:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists
              pods:
                namespaceSelector:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists
              persistentvolumeclaims:
                namespaceSelector:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists
              services:
                namespaceSelector:
                  matchExpressions:
                    - key: capsule.clastix.io/tenant
                      operator: Exists

My CapsuleConfiguration file looks as following:

apiVersion: v1
items:
- apiVersion: capsule.clastix.io/v1alpha1
  kind: CapsuleConfiguration
  metadata:
    annotations:
      meta.helm.sh/release-name: capsule
      meta.helm.sh/release-namespace: capsule-system
    creationTimestamp: "2021-11-29T11:07:17Z"
    generation: 1
    labels:
      app.kubernetes.io/instance: capsule
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: capsule
      app.kubernetes.io/version: 0.1.0
      helm.sh/chart: capsule-0.1.3
      helm.toolkit.fluxcd.io/name: capsule
      helm.toolkit.fluxcd.io/namespace: capsule-system
    name: default
    resourceVersion: "1414161"
    uid: 9086035a-271d-4f81-82af-452e18a5e881
  spec:
    forceTenantPrefix: true
    protectedNamespaceRegex: ""
    userGroups:
    - capsule.clastix.io
    - system:serviceaccounts:flux-system
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Expected behavior

Logs

{"level":"debug","ts":"2021-11-29T11:25:46.985Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/namespace-owner-reference","code":403,"reason":"You do not have any Tenant assigned: please, reach out to the system administrators","UID":"6b258a89-c1f4-4264-aaf2-6fdad5d4cd45","allowed":false}

Additional context

  • Capsule version: v0.1.1-rc0
  • Helm Chart version: 0.1.3
  • Kubernetes version: 1.21
@tomarent tomarent added blocked-needs-validation Issue need triage and validation bug Something isn't working labels Nov 29, 2021
@prometherion
Copy link
Member

Hey, thanks for reporting this, really appreciated!

May I ask you to provide also the Tenant YAML definition and the action used to create the Namespace for the said user? It seems it's executed by a Flux reconcile, would be great having further details in order to reproduce this.

@tomarent
Copy link
Author

tomarent commented Dec 1, 2021

I have done some additional tests and it's not related to the version.

When I add the service account at the end: "system:serviceaccounts:flux-system:tenant-serviceaccount" to the userGroups in the capsule configuration then it works. However this does not work: "system:serviceaccounts:flux-system".

I thought that using the group "flux-system" will include any service account created in that namespace ?

@slushysnowman
Copy link
Contributor

Is the service account assigned as an owner of the tenant? It's not enough to just have it in capsuleUserGroups

@prometherion
Copy link
Member

Maybe better ask for help from @MaxFedotov that worked on this feature 👀

@prometherion prometherion removed the blocked-needs-validation Issue need triage and validation label Dec 21, 2021
@prometherion prometherion self-assigned this Dec 21, 2021
@prometherion
Copy link
Member

prometherion commented Dec 21, 2021
edited
Loading

Ok, it seems I found an error, raising a PR and having a discussion there.

Well, no, I was able to test the full chain for Service Account.

I got this Tenant definition:

apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: gas
spec:
  owners:
  - kind: ServiceAccount
    name: system:serviceaccount:flux-system:tenant-serviceaccount

And the following CapsuleConfiguration:

apiVersion: capsule.clastix.io/v1alpha1
kind: CapsuleConfiguration
metadata:
  name: default
spec:
  forceTenantPrefix: false
  protectedNamespaceRegex: ""
  userGroups:
  - capsule.clastix.io
  - system:serviceaccounts:flux-system

Obviously, I got the namespace flux-system along with the said Service Account.

$: kubectl -n flux-system get serviceaccounts
NAME                    SECRETS   AGE
default                 1         26m
tenant-serviceaccount   1         26m

I'm running the last commit of Capsule (778fb4b) and I simulate a ServiceAccount based Namespace creation.

curl -k -H "Authorization: Bearer $(k get secret tenant-serviceaccount-token-h6k8w -o jsonpath="{@.data.token}" | base64 -d)" https://127.0.0.1:44015/api/v1/namespaces -XPOST -d '{"apiVersion": "v1", "kind": "Namespace", "metadata": {"name": "oil-development"}}' -H 'content-type: application/json'

{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "oil-development",
    "uid": "8e4bd741-2f8a-481f-8ce1-8c247e6ede93",
    "resourceVersion": "16153",
    "creationTimestamp": "2021-12-21T08:53:19Z",
    "labels": {
      "kubernetes.io/metadata.name": "oil-development"
    },
    "ownerReferences": [
      {
        "apiVersion": "capsule.clastix.io/v1beta1",
        "kind": "Tenant",
        "name": "gas",
        "uid": "3b120112-07da-492b-9415-2977cdd8c6c8",
        "controller": true,
        "blockOwnerDeletion": true
      }
    ],
    "managedFields": [
      {
        "manager": "curl",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2021-12-21T08:53:17Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:metadata":{"f:labels":{".":{},"f:kubernetes.io/metadata.name":{}}}}
      }
    ]
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}

Please, could you share your Tenant definition? Because I was able to replicate your issue by using the wrong ServiceAccount name:

apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: gas
spec:
  owners:
  - kind: ServiceAccount
-    name: system:serviceaccounts:flux-system:tenant-serviceaccount
+    name: system:serviceaccount:flux-system:tenant-serviceaccount
  - kind: User
    name: bob

Please, note the Owner name for the SA, since it's a Service Account user and not a group, the prefix must be singular.

@prometherion prometherion added blocked-needs-validation Issue need triage and validation and removed bug Something isn't working labels Dec 21, 2021
@prometherion
Copy link
Member

Obviously, if I missed something @MaxFedotov, please, be my guest: always had troubles with the SA integration, mostly for the integration part using kubectl 😅

@MaxFedotov
Copy link
Collaborator

@prometherion @tomarent i think this is the same issue that was here - #449 (comment)

And this configuration works well for us :)

@prometherion prometherion added duplicate This issue or pull request already exists and removed blocked-needs-validation Issue need triage and validation labels Dec 21, 2021
@prometherion
Copy link
Member

Ok, marking the issue as duplicate.

Please, @tomarent, if you feel the need to open it back, be my guest, and thanks for using Capsule! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prometherion prometherion

Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@prometherion @MaxFedotov @slushysnowman @tomarent