Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions issues in the 22.6.0 #187

Closed
jonathon-love opened this issue Mar 19, 2022 · 7 comments
Closed

Permissions issues in the 22.6.0 #187

jonathon-love opened this issue Mar 19, 2022 · 7 comments

Comments

@jonathon-love
Copy link

hi,

i've been happily using kubernetes_asyncio for a while now on a microk8s v1.21.10 cluster, but i recently had a container having permissions issues when executing a watch on persistent volumes:

kubernetes_asyncio.client.exceptions.ApiException: (401)
Reason: Unauthorized: Unauthorized

after tinkering for a while, i traced the issue back to the recent 22.6.0 release of kubernetes_asyncio ... if i roll back to an earlier version of kubernetes_asyncio, everything works again.

is this a problem in kubrnetes_asyncio, or has my microk8s fallen off the back of reasonable compatibility?

with thanks
@tomplus
Copy link
Owner

tomplus commented Mar 20, 2022

Do you watch PVs from the pod or from outside the cluster? Do you use this function: CoreV1Api.list_persistent_volume?

Could you provide steps to reproduce? I tried something on my minikube but with no luck.

@jonathon-love
Copy link
Author

yeah, so this is from within a pod inside my cluster.

i basically go:

config.load_incluster_config()

client = ApiClient()
api = client.CoreV1Api(client)

watch = Watch()
async for update in watch.stream(self._api.list_persistent_volume):
    ...

is that enough to go on? i can whip you up a reproducible example if you need (but i'm obviously lazy and trying to avoid that :P).

with thanks

@tomplus
Copy link
Owner

tomplus commented Mar 20, 2022

I did some tests and it works on my site. I use minikube with k8s v1.21.10, kubernetes-asyncio 22.6.0. I'll check it on microk8s later.

@JacobHayes
Copy link

This issue may be related: dask/dask-kubernetes#419. I get:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:anonymous\" cannot create resource \"pods\" in API group \"\" in the namespace \"default\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}

when accessing k8s (version 1.21.9-gke.1002) with managed google-cloud-sdk auth (application default credentials):

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...
    server: https://...
  name: ...
contexts:
- context:
    cluster: ...
    user: ...
  name: ...
current-context: ...
kind: Config
preferences: {}
users:
- name: ...
  user:
    auth-provider:
      config:
        access-token: ...
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gcloud
        expiry: ...
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

Downgrading to kubernetes-asyncio==21.7.1 fixed things.

@tomplus
Copy link
Owner

tomplus commented Mar 21, 2022

Thanks for your input. It maybe related but there are 2 differences:

  1. in-cluster config vs remote cluster (via kubeconfig witth gcloud command)
  2. error code 401 vs. 403

I'm still investigating...

@tomplus tomplus mentioned this issue Mar 21, 2022
Closed
@ddelange ddelange mentioned this issue Mar 22, 2022
Closed
@tomplus tomplus mentioned this issue Mar 22, 2022
Merged
@tomplus
Copy link
Owner

tomplus commented Mar 22, 2022

It should be fixed now. Could you try with the latest version 22.6.1? Thanks.

@jonathon-love
Copy link
Author

it works!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomplus @JacobHayes @jonathon-love