spinnaker: Unknown user error occurred with kubernetes RBAC.

Issue Summary:

When I deployed Deployment manifest via kubernetes cloud provider v2, I scale replicas from UI, then the following error occurred.

Failed to scale deployment/xxxxxxxxxx from xxx: Error from server (Forbidden): 
deployments.extensions "xxxxxxxxxx" is forbidden: User 
"system:serviceaccount:spinnaker:spinnaker-service-account" cannot get 
deployments.extensions/scale in the namespace "xxxxxx": Unknown user 
"system:serviceaccount:spinnaker:spinnaker-service-account"

Cloud Provider(s):

kubernetes v2

Environment:

Spinnaker: v1.9.0

GKE master: 1.10.6-gke.1 nodepool: 1.10.6-gke.1

Steps to Reproduce:

  1. Create a GKE cluster with RBAC enabled.
  2. Create a service account (described in here )
  3. Create a pipeline that deploys manifest
  4. Execute pipeline and create Deployment
  5. Select ServerGroupManagerAction for Deployment and click on Scale
  6. Increment number of replicas, then submit

Additional Details:

We can scale replicas by using kubectl, but not from Spinnaker UI.

Update:

I tried to deploy manifest of ConfigMap, but the same error occurred. I don’t know it’s relevant to this issue, but here is the manifest that I failed to deploy.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: foo
  namespace: dev
  labels:
    app: test
data:
  TEST: "yes"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: bar
  namespace: dev
  labels:
    app: test
data:
  TEST: "no"

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (5 by maintainers)

Most upvoted comments

@lwander, @katsew

Instead of me editing this issue the whole time I will create a new post. I managed to get the scale feature working. This is what I changed.

I added this to my RBAC service account, which originally was configured according to these docs

- apiGroups: ["extensions"]
  resources: ["deployments/scale"]
  verbs: ["*"] // This could and probably should be restricted a little, I was just testing my theory.

I am not 100% sure that that’s the correct way to fix it, it’s working for me though. One thing I do want to comment on though is I think this section is a little incomplete, here is why.

I’m very new to Spinnaker so forgive me if some of my assumptions are incorrect. This document suggests that the Spinnaker might update/create ConfigMaps, however the RBAC has these permissions, which would not allow that to happen.

- apiGroups: [""]
  resources: ["namespaces", "configmaps", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"]
  verbs: ["get", "list"]

Should I create a new issue around updating the docs in the RBAC section, or is my understanding of how artifacts, deployment manifests should work wrong? Specifically the area around updating ConfigMaps to say, toggle a feature flag.

Thanks Colin

+2
colincgn on Sep 26, 2018
Read more comments on GitHub
← spinnaker: Unable to retrieve tags for ECR docker registry
spinnaker: Using Halyard, adding Kubernetes accounts in clouddriver-local.yml causes clouddriver-caching (and -rw) to throw "error: stat /home/userid/.kube/config: no such file or directory" after install →