Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Do we miss create for ClusterRole yurt-tunnel-server ? #498

Closed
adamzhoul opened this issue Sep 26, 2021 · 3 comments · Fixed by #500
Closed

[BUG] Do we miss create for ClusterRole yurt-tunnel-server ? #498

adamzhoul opened this issue Sep 26, 2021 · 3 comments · Fixed by #500
Labels
kind/bug kind/bug

Comments

@adamzhoul
Copy link
Member

What happened:

E0923 13:40:03.970458       1 certificate_manager.go:434] Failed while requesting a signed certificate from the master: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kube-system:yurt-tunnel-server" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope

Anything else we need to know?:

openyurt/cmd/yurt-tunnel-server/app/start.go

Lines 105 to 114 in 07c3409

// 2. create a certificate manager for the tunnel server and run the
// csr approver for both yurttunnel-server and yurttunnel-agent
serverCertMgr, err := certmanager.NewYurttunnelServerCertManager(cfg.Client, cfg.CertDNSNames, cfg.CertIPs, stopCh)
if err != nil {
return err
}
serverCertMgr.Start()
go certmanager.NewCSRApprover(cfg.Client, cfg.SharedInformerFactory.Certificates().V1beta1().CertificateSigningRequests()).
Run(constants.YurttunnelCSRApproverThreadiness, stopCh)

openyurt/pkg/yurtctl/constants/yurt-tunnel-server-tmpl.go

Lines 20 to 36 in 07c3409

YurttunnelServerClusterRole = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: yurt-tunnel-server
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:

/kind bug
@adamzhoul adamzhoul added the kind/bug kind/bug label Sep 26, 2021
@rambohe-ch
Copy link
Member

@adamzhoul you are right. we need to add create right for yurt-tunnel-server clusterrole.

btw: we delete create right careless in this commit: 86d19ca

@rambohe-ch
Copy link
Member

@adamzhoul Would you like to make a pull request to add create right for yurt-tunnel-server?

@adamzhoul
Copy link
Member Author

sure

@adamzhoul adamzhoul mentioned this issue Sep 26, 2021
Merged
@adamzhoul adamzhoul mentioned this issue Nov 5, 2021
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add create to yurt-tunnel-server ClusterRole adamzhoul/openyurt
2 participants
@adamzhoul @rambohe-ch