Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert-manager: Fix incorrect leader election namespace lead to insufficient permission #8433

Conversation

rtsp
Copy link
Member

@rtsp rtsp commented Jan 15, 2022

What type of PR is this?

/kind bug

What this PR does / why we need it:

My last PR #8424 fix the GKE Autopilot problem but not the original problem reported in #8393 (at least it didn't break anything).

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-cainjector:leaderelection
namespace: {{ cert_manager_namespace }}

Referring to official cert-manager manifest. The leader election namespace is kube-system, not cert-manager. so the metadata.namespace here (and other 3 places) should be the cert_manager_leader_election_namespace (which I introduced in #8424) instead of cert_manager_namespace.

This PR change namespace configurations in cert-manager.yml.j2 to match the upstream cert-manager manifests which use kube-system by default and allow overriding with cert_manager_leader_election_namespace variable.

Which issue(s) this PR fixes:

Fixes #8393

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix incorrect leader election namespace with cert-manager leading to insufficient permission

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 15, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @rtsp. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 15, 2022
@rtsp rtsp marked this pull request as ready for review January 15, 2022 08:53
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 15, 2022
@cristicalin
Copy link
Contributor

Thanks @rtsp for following up on this!

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 15, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 15, 2022
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rtsp 👍

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, rtsp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 17, 2022
@k8s-ci-robot k8s-ci-robot merged commit e791089 into kubernetes-sigs:master Jan 17, 2022
@red55
Copy link

red55 commented Feb 18, 2022

Hi everyone, @rtsp
Tryied on clean k8s still getting errors:

[leaderelection.go:325] error retrieving resource lock kube-system/cert-manager-cainjector-leader-election: configmaps "cert-manager-cainjector-leader-election" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-cainjector" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

I guess there are some permissions missing

diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 036f55cd..6f5827af 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -106,6 +106,12 @@ rules:
   - apiGroups: ["auditregistration.k8s.io"]
     resources: ["auditsinks"]
     verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "get", "update"]
 ---

@rtsp
Copy link
Member Author

rtsp commented Feb 18, 2022

@red55 Which kubespray branch or commit you're using?

Try updating to the latest commit, if the problem still occur please open new issue and provide information as much as possible. Feel tree to mention me or this PR from those new issue.

@red55
Copy link

red55 commented Feb 18, 2022

@rtsp hi,
im on this one cc45e36

commit cc45e365ae9e45bfd7e3d56120a5743c8e870822 (HEAD -> master, origin/master, origin/HEAD)
Author: Kenichi Omichi <[email protected]>
Date:   Thu Feb 17 13:57:03 2022 -0800

    Fix print_hostnames of inventory.py (#8554)
    
    When trying to run print_hostnames of inventory.py, it outputs the following
    error:
    
     $ CONFIG_FILE=./test-hosts.yaml python3 ./inventory.py print_hostnames
     Traceback (most recent call last):
       File "./inventory.py", line 472, in <module>
         sys.exit(main())
       File "./inventory.py", line 467, in main
         KubesprayInventory(argv, CONFIG_FILE)
       File "./inventory.py", line 92, in __init__
         self.parse_command(changed_hosts[0], changed_hosts[1:])
       File "./inventory.py", line 415, in parse_command
         self.print_hostnames()
       File "./inventory.py", line 455, in print_hostnames

@rtsp
Copy link
Member Author

rtsp commented Feb 18, 2022

@red55 I didn't test the latest commit yet but it seems to sync with upstream cert-manager manifest.

I'm not sure which system you're running. May be you don't have permission on kube-system namespace on your system? You clould try changing cert_manager_leader_election_namespace (in your inventory group_vars) to cert-manager instead of kube-system (default).

Anyway please open a bug report and provide more information here https://github.com/kubernetes-sigs/kubespray/issues/new?assignees=&labels=kind%2Fbug&template=bug-report.md Thanks

rtsp added a commit to rtsp/kubespray that referenced this pull request Apr 4, 2022
…fixes from master

- cert-manager: Fix incorrect leader election namespace lead to insufficient permission (kubernetes-sigs#8433)
- cert-manager: Allow to change leader election namespace for GKE Autopilot support (kubernetes-sigs#8424)
rtsp added a commit to rtsp/kubespray that referenced this pull request Apr 4, 2022
…fixes from master

cherry-picked from
* ccd3180 cert-manager: Fix incorrect leader election namespace lead to insufficient permission (kubernetes-sigs#8433)
* e791089 cert-manager: Allow to change leader election namespace for GKE Autopilot support (kubernetes-sigs#8424)
k8s-ci-robot pushed a commit that referenced this pull request Apr 4, 2022
…fixes from master (#8681)

cherry-picked from
* ccd3180 cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
* e791089 cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424)
@rtsp rtsp deleted the develop/8393-cert-manager-gke-autopilot branch April 12, 2022 13:33
sakuraiyuta pushed a commit to sakuraiyuta/kubespray that referenced this pull request Apr 16, 2022
@oomichi oomichi mentioned this pull request May 28, 2022
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jun 29, 2023
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Oct 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cert-manager fails to work correctly due to insufficient permissions on v2.18.0
5 participants