Service account permission Forbidden, whereabouts v0.5.1
Josha96 opened this issue · comments
Currently Receiving error:
FailedCreatePodSandBox 22 secs ago Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "2b0c7f000272920859c55c69b6bd086a6042ddd9cbfe414e2e5e2d0c3fb9e083" network for pod "lnlab1-sas-8458dffdb6-25jhp": networkPlugin cni failed to set up pod "lnlab1-sas-8458dffdb6-25jhp_sas" network: [sas/lnlab1-sas-8458dffdb6-25jhp:ipvlan-606-sas]: error adding container to network "ipvlan-606-sas": Error at storage engine: k8s get OverlappingRangeIPReservation error: overlappingrangeipreservations.whereabouts.cni.cncf.io "10.116.185.170" is **forbidden: User "system:serviceaccount:kube-system:lnlab1-whereabouts"** **cannot get resource "overlappingrangeipreservations" in API group "whereabouts.cni.cncf.io" in the namespace "kube-system"**
Current Cluster Role Settings:
ClusterRole: lnlab1-whereabouts
`apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2022-06-02T00:00:17Z"
labels:
argocd.argoproj.io/instance: lnlab1-whereabouts
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:argocd.argoproj.io/instance: {}
manager: argocd-application-controller
operation: Update
time: "2022-06-02T00:00:17Z" - apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: agent
operation: Update
time: "2022-06-02T00:09:20Z"
name: lnlab1-whereabouts
resourceVersion: "14134947"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/lnlab1-whereabouts
uid: 69607f8f-f673-4f0f-afa4-8a999acf18fc
rules: - apiGroups:
- whereabouts.cni.cncf.io
resources: - ippools
verbs: - get
- list
- watch
- create
- update
- patch
- delete
- whereabouts.cni.cncf.io
- apiGroups:
- coordination.k8s.io
resources: - leases
verbs: - create
- delete
- get
- list
- patch
- update
- watch
- coordination.k8s.io
- apiGroups:
- ""
resources: - pods
verbs: - list
- ""
- apiGroups:
- whereabouts.cni.cncf.io
resources: - overlappingrangeipreservation
verbs: - create
- delete
- get
- list
- patch
- update
- watch`
- whereabouts.cni.cncf.io
Current Cluster Role Bindings:
ClusterRole Binding: lnlab1-whereabouts
`apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2022-06-02T00:00:18Z"
labels:
argocd.argoproj.io/instance: lnlab1-whereabouts
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:argocd.argoproj.io/instance: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: argocd-application-controller
operation: Update
time: "2022-06-02T00:00:18Z"
name: lnlab1-whereabouts
resourceVersion: "14129715"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/lnlab1-whereabouts
uid: 33472da4-a80f-4338-919c-6b76f98d0c1f
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: lnlab1-whereabouts
subjects: - kind: ServiceAccount
name: lnlab1-whereabouts
namespace: kube-system`
More Details:
Currently upgrading from whereabouts v0.4 to 0.5.1
Running Multus CNI v3.8
I have attempted upgrading whereabouts from its previous v.0.4 -> 0.5.1
I have attempted completely uninstalling all Whereabouts and Multus related resources and reinstalling.
Please if there are any more details that would be helpful for troubleshooting, let me know.
You must also re-provision the updated daemonset CRD.
Make sure to apply all the manifests in the CRD folder.
Please open another issue if you manage to reproduce this after attempting with the updated manifests.