-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to start jx compliance reports #501
Comments
@smaslennikov - did you follow these instructions for gke - https://github.com/heptio/sonobuoy/blob/master/README.md#run-on-google-cloud-platform-gcp ? |
@timothysc Yes, the result is the same: $ kubectl create clusterrolebinding sonobuoy-serviceaccount --clusterrole=cluster-admin --user=my@email
clusterrolebinding.rbac.authorization.k8s.io/sonobuoy-serviceaccount created
$ jx compliance run
INFO[0001] created object name=heptio-sonobuoy namespace= resource=namespaces
INFO[0001] created object name=sonobuoy-serviceaccount namespace=heptio-sonobuoy resource=serviceaccounts
INFO[0001] object already exists name=sonobuoy-serviceaccount-heptio-sonobuoy namespace= resource=clusterrolebindings
error: failed to start the compliance tests: failed to create object: failed to create API resource sonobuoy-serviceaccount: clusterroles.rbac.authorization.k8s.io "sonobuoy-serviceaccount" is forbidden: attempt to grant extra privileges: [PolicyRule{APIGroups:["*"], Resources:["*"], Verbs:["*"]}] user=&{client [system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/openapi" "/openapi/*" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version" "/version/"], Verbs:["get"]}] ruleResolutionErrors=[] Is the |
@fabioy - You run on gke all the time, ever seen this ^ |
@smaslennikov After looking at your initial report it looks like you have stale resources left over. You need to run |
@timothysc I'm aware of the I'm not very familiar with the |
@liztio - last didn't you do the gke verification last cycle? |
Seems that @liztio merged the PR that this was waiting for. Going to go ahead and close and if I'm misunderstanding feel free to reopen @smaslennikov. |
@johnSchnake thank you! |
What steps did you take and what happened:
jx compliance run
$ jx compliance run INFO[0001] object already exists name=heptio-sonobuoy namespace= resource=namespaces error: failed to start the compliance tests: failed to create object: failed to create API resource sonobuoy-serviceaccount: serviceaccounts "sonobuoy-serviceaccount" already exists
What did you expect to happen:
Expect no errors to be shown and the compliance tests to run.
Anything else you would like to add:
This is not a vanilla, new GKE cluster - other things are present there already.
Environment:
jx
version1.3.112
, unknown includedsonobuoy
version.kubectl version
):/etc/os-release
): N/AThe text was updated successfully, but these errors were encountered: