-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to run exporter on OpenShift 4.x #255
Comments
Strange that this came back |
@hrytsai this worked fine in 0.3.7? |
Nope, the same problem |
Very strange I cannot seem to replicate this error. |
The issue results from the
When either command As getting unused ClusterRoles requires access to all namespaces, the following error raised:
This issue was fixed in #258, with the following function correction:
@yonahd as this fix was merged to main, let's bump v0.3.9, it should resolve the issue mentioned in this case. |
@doronkg the all function should not be called in the above case. This is using the --resources flag which triggers multi |
Let's split it into two cases: 1) The Without the flag, not only the error message will still be displayed, the pod will enter a Example A - All$ oc get pods -n kor
NAME READY STATUS RESTARTS AGE
kor-exporter-85d5d69cc6-vwbz5 0/1 CrashLoopBackOff 5 (64s ago) 4m30s
$ oc logs kor-exporter-85d5d69cc6-vwbz5 -n kor
Server listening on :8080
collecting unused resources
Failed to retrieve namespaces: namespaces is forbidden: User "system:serviceaccount:kor:test" cannot list resource "namespaces" in API group "" at the cluster scope
$ oc get pod kor-exporter-85d5d69cc6-vwbz5 -n kor -o yaml
apiVersion: v1
kind: Pod
metadata:
name: kor-exporter-85d5d69cc6-vwbz5
namespace: kor
spec:
containers:
- args:
- exporter
command:
- kor
image: yonahdissen/kor:latest
imagePullPolicy: Always
name: kor-exporter-container
... Example B - Resources by Namespace$ oc get pods -n kor
NAME READY STATUS RESTARTS AGE
kor-exporter-6b9fdc9f4f-svdgb 1/1 Running 0 28s
$ oc logs kor-6b9fdc9f4f-svdgb -n kor
Server listening on :8080
collecting unused resources
$ oc get pod kor-exporter-6b9fdc9f4f-svdgb -n kor -o yaml
apiVersion: v1
kind: Pod
metadata:
name: kor-exporter-6b9fdc9f4f-svdgb
namespace: kor
spec:
containers:
- args:
- exporter
- --resources
- pvc,secret
- -n
- kor
command:
- kor
image: yonahdissen/kor:latest
imagePullPolicy: Always
name: kor-exporter-container
... 2) In v0.3.8, as said, this error message shouldn't be displayed (see comment) if the flag is used, but if the used ServiceAccount doesn't have NOTE: That depends whether the ClusterRoleBinding from the Helm chart was applied (allows to get/list/watch all namespaces by default) or rather the used ServiceAccount is binded with custom RBAC. $ oc logs kor-exporter-56d6696cf7-zqdn6 -n kor
Server listening on :8080
collecting unused resources
namespace [kor-test-namespace] not found That behavior results from
@hrytsai if you encounter case (1), make sure to upgrade to v0.3.8 and have the pod restarted. $ oc auth can-i get ns/kor-test-namespace --as=system:serviceaccount:kor-test-namespace:dev-kor
Warning: resource 'namespaces' is not namespace scoped
no This could be easily resolved by manually granting the following permissions to the ServiceAccount (if not using the Helm chart), with designated ClusterRole & ClusterRoleBinding:
Once you've made the change, run the following command that should display: $ oc auth can-i get ns/kor-test-namespace --as=system:kor-test-namespace:dev-kor
Warning: resource 'namespaces' is not namespace scoped
yes Restart the pod, and validate that the warning no longer displays. Please let me know how it went. |
Hi |
I'm glad we've got to the bottom of this. We'll look into an OpenShift Project-compatible solution and update you. If you have additional feedbacks regarding |
Describe the bug
When run kor in cluster with exporter flag
kor -exporter --resources secret,configmap,pvc -n kor-test-namespace
We got an error:
Failed to retrieve namespaces: namespaces is forbidden: User "system:serviceaccount:kor-test-namespace:dev-kor" cannot list resource "namespaces" in API group "" at the cluster scope
We faced similiar issue when run kor v0.3.5 without exporter flag, see
#213
To Reproduce
Run kor in cluster with options:
-exporter --resources secret,configmap,pvc -n <namespace_name>
Expected behavior
Namespace will be scanned and result provided without get access to list of namespaces, get only unused resources in provided namespace
OS version, architecture and kor version
OpenShift 4.12
Kor version: 0.3.8
Additional context
For example:
kubectl get ns will return
Error from server (Forbidden): namespaces is forbidden: User "kor-test-user" cannot list resource "namespaces" in API group "" at the cluster scope
but when you run:
kubectl get project
you will get result:
NAME DISPLAY NAME STATUS
...
kor-test-namespace
...
This issue also might be connected to:
#218
The text was updated successfully, but these errors were encountered: