jx: gcpreviews jobs fails

Summary

GCPreview cronjobs are failing as the service account does not have sufficient access

Steps to reproduce the behavior

  1. Create a PR
  2. Wait for GC to run.
  3. Cron job fails

Expected behavior

PR env is deleted

Actual behavior

Cron job fails and PR env is never deleted. Logs:

Deleting helm release: preview
Removing Kubernetes resources from release preview using selector: jenkins.io/chart-release=preview from all pvc configmap release sa role rolebinding secret
Removing Kubernetes resources from release preview using selector: jenkins.io/chart-release=preview,jenkins.io/namespace=jx from clusterrole clusterrolebinding
error: failed to delete preview environment org-app-pr-32: [failed to run 'kubectl delete all --ignore-not-found -l jenkins.io/chart-release=preview --namespace jx --wait' command in directory '', output: 'Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "replicationcontrollers" in API group "" in the namespace "jx"
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "services" in API group "" in the namespace "jx"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "daemonsets" in API group "apps" in the namespace "jx"
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "deployments" in API group "apps" in the namespace "jx"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "replicasets" in API group "apps" in the namespace "jx"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "statefulsets" in API group "apps" in the namespace "jx"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "jx"
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "jobs" in API group "batch" in the namespace "jx"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "cronjobs" in API group "batch" in the namespace "jx"
Error from server (Forbidden): plugins.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "plugins" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): extensions.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "extensions" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): buildpacks.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "buildpacks" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): commitstatuses.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "commitstatuses" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): facts.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "facts" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): pipelinestructures.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "pipelinestructures" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): environmentrolebindings.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "environmentrolebindings" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): workflows.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "workflows" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): apps.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "apps" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): pipelineactivities.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "pipelineactivities" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): gitservices.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "gitservices" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): releases.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "releases" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): sourcerepositories.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "sourcerepositories" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): teams.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "teams" in API group "jenkins.io" in the namespace "jx"
Error from server (Forbidden): users.jenkins.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "users" in API group "jenkins.io" in the namespace "jx"', failed to run 'kubectl delete clusterrole --ignore-not-found -l jenkins.io/chart-release=preview,jenkins.io/namespace=jx --wait' command in directory '', output: 'Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:jx:jenkins-x-gcpreviews" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope']

Jx version

The output of jx version is:

NAME               VERSION
jx                 1.3.1041
jenkins x platform 0.0.3673
Kubernetes cluster v1.12.5-gke.5
kubectl            v1.14.0
helm client        Client: v2.13.1+g618447c
git                git version 2.20.1 (Apple Git-117)
Operating System   Mac OS X 10.14.3 build 18D109

Jenkins type

  • Classic Jenkins
  • Serverless Jenkins

Kubernetes cluster

GKE. Manually

Operating system / Environment

Mac

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 4
  • Comments: 37 (7 by maintainers)

Most upvoted comments

I can confirm that this is still a problem on a fresh cluster. I am able to replicate both the problem of the insufficient permissions (which can be resolved by adding them as detailed above) and the problem of vault not being found if it was installed with a tls ingress.

We have a PR for the former, but not for the latter.

+2
tdcox on Aug 1, 2019
Read more comments on GitHub
← jx: GC cronjob actions failing?
jx: gh-pages stops getting updates →