Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kapp deploy fails with when not allowed to list cluster pods #71

Closed
eLco opened this issue Feb 4, 2020 · 4 comments · Fixed by #97
Closed

kapp deploy fails with when not allowed to list cluster pods #71

eLco opened this issue Feb 4, 2020 · 4 comments · Fixed by #97
Labels
enhancement This issue is a feature request good first issue An issue that will be a good candidate for a new contributor

Comments

@eLco
Copy link
Contributor

eLco commented Feb 4, 2020

When running kapp deploy with namespace-scoped RBAC user, with flag --logs-all, getting error:

Pod watching error: pods is forbidden: User "deploy-manager" cannot list resource "pods" in API group "" at the cluster scope

Seems like the similar issue - #34
@cppforlife
Copy link
Contributor

@eLco will take a look how to better deal with that.

@cppforlife cppforlife added the enhancement This issue is a feature request label Feb 5, 2020
@cppforlife cppforlife added the good first issue An issue that will be a good candidate for a new contributor label Feb 12, 2020
@gretel
Copy link

gretel commented Feb 21, 2020
edited
Loading

i'm also getting this:

...
Namespace  Name              Kind  Conds.  Age  Op      Wait to    Rs  Ri
some-ca    some-job  Job   1/1 t   1m   update  reconcile  ok  Completed

Op:      0 create, 0 delete, 1 update, 0 noop
Wait to: 1 reconcile, 0 delete, 0 noop
Pod watching error: pods is forbidden: User "devop.zombie@enterprise.com" cannot list resource "pods" in API group "" at the cluster scope

12:20:24PM: ---- applying 1 changes [0/1 done] ----

@cppforlife
Copy link
Contributor

here is related piece of code: https://github.com/k14s/kapp/blob/918c7d3f80422031170a3521a9b9e95ff19e8f23/pkg/kapp/resources/identified_resources_pods.go#L32 that does cluster-scoped find. would probably have to add fallback to search within possible namespaces.

@gretel
Copy link

gretel commented Feb 26, 2020

@cppforlife ya, cluster-scope is forbidden, can only enumerate single namespace.

@jessehu jessehu mentioned this issue Apr 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This issue is a feature request good first issue An issue that will be a good candidate for a new contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[KAPP-71] Watch pods in specific namespace when needed jessehu/kapp
3 participants
@gretel @cppforlife @eLco