Unable to start jx compliance reports

[slavaaaaaaaaaa]

What steps did you take and what happened:

1. Follow JenkinsX deployment manual to deploy JenkinsX on an already-existing GKE cluster
2. As part of Validating cluster conformance run jx compliance run
3. Get errors:

$ jx compliance run
INFO[0001] created object                                name=heptio-sonobuoy namespace= resource=namespaces
INFO[0001] created object                                name=sonobuoy-serviceaccount namespace=heptio-sonobuoy resource=serviceaccounts
INFO[0001] object already exists                         name=sonobuoy-serviceaccount-heptio-sonobuoy namespace= resource=clusterrolebindings
error: failed to start the compliance tests: failed to create object: failed to create API resource sonobuoy-serviceaccount: clusterroles.rbac.authorization.k8s.io "sonobuoy-serviceaccount" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:["*"], Resources:["*"], Verbs:["*"]}] user=&{client  [system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/openapi" "/openapi/*" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[]

4. If I run it again, apparently the service account does exist:

$ jx compliance run
INFO[0001] object already exists                         name=heptio-sonobuoy namespace= resource=namespaces
error: failed to start the compliance tests: failed to create object: failed to create API resource sonobuoy-serviceaccount: serviceaccounts "sonobuoy-serviceaccount" already exists

What did you expect to happen:
Expect no errors to be shown and the compliance tests to run.

Anything else you would like to add:
This is not a vanilla, new GKE cluster - other things are present there already.

Environment:

• Sonobuoy version:
  jx version 1.3.112, unknown included sonobuoy version.
• Kubernetes version: (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T22:29:25Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.4-gke.2", GitCommit:"eb2e43842aaa21d6f0bb65d6adf5a84bbdc62eaf", GitTreeState:"clean", BuildDate:"2018-06-15T21:48:39Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

• Kubernetes installer & version: GKE
• Cloud provider or hardware configuration: GCP
• OS (e.g. from /etc/os-release): N/A
• Sonobuoy tarball (which contains * below): N/A

[timothysc]

@smaslennikov - did you follow these instructions for gke - https://github.com/heptio/sonobuoy/blob/master/README.md#run-on-google-cloud-platform-gcp ?

[slavaaaaaaaaaa]

@timothysc Yes, the result is the same:

$ kubectl create clusterrolebinding sonobuoy-serviceaccount --clusterrole=cluster-admin --user=my@email
clusterrolebinding.rbac.authorization.k8s.io/sonobuoy-serviceaccount created
$ jx compliance run
INFO[0001] created object                                name=heptio-sonobuoy namespace= resource=namespaces
INFO[0001] created object                                name=sonobuoy-serviceaccount namespace=heptio-sonobuoy resource=serviceaccounts
INFO[0001] object already exists                         name=sonobuoy-serviceaccount-heptio-sonobuoy namespace= resource=clusterrolebindings
error: failed to start the compliance tests: failed to create object: failed to create API resource sonobuoy-serviceaccount: clusterroles.rbac.authorization.k8s.io "sonobuoy-serviceaccount" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:["*"], Resources:["*"], Verbs:["*"]}] user=&{client  [system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/openapi" "/openapi/*" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[]

Is the jx compliance wrapper at issue here?

[timothysc]

@fabioy - You run on gke all the time, ever seen this ^

[timothysc]

@smaslennikov After looking at your initial report it looks like you have stale resources left over.

You need to run sonobuoy delete after the end of a run.
You might want to adjust the tooling that is using sonobuoy.

[slavaaaaaaaaaa]

@timothysc I'm aware of the delete command - I've been using the wrapper one, jx compliance delete in testing and reproducing this. The reason I didn't run delete in between in the example above is to show that the first run errors out saying it can't create the service account, while the second run complains of the service account already existing. Anyway, this fatal error has been present since the first attempted run.

I'm not very familiar with the jx tool - just trying it out to spin up JenkinsX. I'll continue poking around, and will report back if I find anything useful. Thank you for your help so far either way!

[timothysc]

@liztio - last didn't you do the gke verification last cycle?

[johnSchnake]

Seems that @liztio merged the PR that this was waiting for. Going to go ahead and close and if I'm misunderstanding feel free to reopen @smaslennikov.

[slavaaaaaaaaaa]

@johnSchnake thank you!