Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix calico rbac issue #9806

Merged
merged 1 commit into from
Feb 20, 2023
Merged

fix calico rbac issue #9806

merged 1 commit into from
Feb 20, 2023

Conversation

JaneLiuL
Copy link
Member

@JaneLiuL JaneLiuL commented Feb 20, 2023
edited
Loading

/kind bug
when i install kubernetes with calico cni, and specific calico version in inventory/mycluster/group_vas/k8s-cluster.yml, and specifiy calico version with calico_version: v3.24.5.
the calico pods will fail, logs as below

tunnel-ip-allocator/ipam.go 1847: Error creating IPAM config error=connection is unauthorized:
ipamconfigs.crd.projectcalico.org is forbidden: User "system:serviceaccount:kube-system:calico-node" cannot create resource "ipamconfigs" in API group "crd.projectcalico.org" at the cluster scope

so i just modify the rbac, and grant the permission as this pr, and install again, it works

for latest calico release tag please check here: https://github.com/projectcalico/calico/blob/v3.25.0/charts/calico/templates/calico-node-rbac.yaml#L160

it still need create permission

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 20, 2023
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 20, 2023
@JaneLiuL
Copy link
Member Author

/retest

yankay
yankay requested changes Feb 20, 2023
View reviewed changes
roles/network_plugin/calico/templates/calico-cr.yml.j2 Outdated
- list
- create
- update
- delete
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @JaneLiuL

From the https://github.com/projectcalico/calico/blob/master/charts/calico/templates/calico-node-rbac.yaml#L160
The List, Update, Delete is not needed.

Should it better to be removed ?

Copy link
Member Author

@JaneLiuL JaneLiuL Feb 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi, that depends on calico version, when i install kubespray with kubernetes 1.24.10 with calico version 3.24.5. we still need it.
and we should both support lower version.
I still suggest that we should keep it.

And both when i upgrade kubernets from 1.24.0 to 1.25 via kubespray, we still need that.

what do you think so?

and what you provide the link is not release yet, it is in master branch.
for latest calico release tag please check here: https://github.com/projectcalico/calico/blob/v3.25.0/charts/calico/templates/calico-node-rbac.yaml#L160

it still need create permission
@yankay

floryut
floryut approved these changes Feb 20, 2023
View reviewed changes
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JaneLiuL Thank you for the PR 👍
Looks good to me based on explanation

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 20, 2023
@yankay
Copy link
Member

yankay commented Feb 20, 2023

@JaneLiuL Thanks
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 20, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, JaneLiuL, yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 4aacec4 into kubernetes-sigs:master Feb 20, 2023
HoKim98 pushed a commit to ulagbulag/kubespray that referenced this pull request Mar 8, 2023
@JaneLiuL @HoKim98
fix calico rbac issue (kubernetes-sigs#9806)
d2dd906
HoKim98 pushed a commit to ulagbulag/kubespray that referenced this pull request Mar 8, 2023
@JaneLiuL @HoKim98
fix calico rbac issue (kubernetes-sigs#9806)
f410ea5
nolimitkun pushed a commit to nolimitkun/kubespray that referenced this pull request Mar 19, 2023
@JaneLiuL @nolimitkun
fix calico rbac issue (kubernetes-sigs#9806)
207eb66
@yankay yankay mentioned this pull request May 15, 2023
Closed
pedro-peter pushed a commit to pedro-peter/kubespray that referenced this pull request May 8, 2024
@JaneLiuL @pedromcpedro
fix calico rbac issue (kubernetes-sigs#9806)
3281db2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@floryut floryut floryut approved these changes

@yankay yankay yankay approved these changes

@holmsten holmsten Awaiting requested review from holmsten

@oomichi oomichi Awaiting requested review from oomichi

Assignees

@yankay yankay

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JaneLiuL @yankay @k8s-ci-robot @floryut