Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient description in the doc regarding RBAC configuration #2581

Closed
huikang opened this issue Apr 3, 2020 · 8 comments · Fixed by #3369
Closed

Insufficient description in the doc regarding RBAC configuration #2581

huikang opened this issue Apr 3, 2020 · 8 comments · Fixed by #3369
Labels
type/bug

Comments

@huikang
Copy link
Member

huikang commented Apr 3, 2020

I am following the get-started tutorial to install the argo workflow 2.7.
The only change I made to the install yaml is to add containerRuntimeExecutor: kubelet in the ConfigMap.

Then I run the following command following the instruction:

kubectl create rolebinding default-admin --clusterrole=admin --serviceaccount=default:default

However, after I submit a job, the following error appears

argo submit --watch https://raw.githubusercontent.com/argoproj/argo/master/examples/hello-world.yaml

failed to save outputs: unexpected non 200 status code: 403, body: Forbidden (user=system:serviceaccount:default:default, verb=get, resource=nodes, subresource=proxy)

Could anyone help to look at this issue? Thanks.
@huikang
Copy link
Member Author

huikang commented Apr 3, 2020

My understanding is that I need to assign proper permission to access the resource nodes and nodes/proxy. Could anyone offer some help about how to setup this for argo? Thanks.

@simster7
Copy link
Member

simster7 commented Apr 3, 2020

Correct, you need to add permissions to access them by binding them to a service account(either default:default or another one you create). You can use this as an example on how to do so: https://github.com/argoproj/argo/blob/master/docs/workflow-rbac.md

Should add a new resource nodes and add the proper verbs.

Hint: I use this a lot when checking if I was successful in binding new permissions correctly: https://stackoverflow.com/questions/54889458/kubernetes-check-serviceaccount-permissions

@alexec alexec added the docs label Apr 3, 2020
@huikang
Copy link
Member Author

huikang commented Apr 4, 2020

Hi, @simster7 , I applied the following role yaml file

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workflow-role
rules:
# pod get/watch is used to identify the container IDs of the current pod
# pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- apiGroups:
  - ""
  resources:
  - pods
  - nodes/proxy
  verbs:
  - get
  - watch
  - patch
# logs get/watch are used to get the pods logs for script outputs, and for log archival
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - watch

However, I am still getting the same error and seems not having the permission to get nodes/proxy

kubectl auth can-i get nodes/proxy --as=system:serviceaccount:default:default   -n default      
Warning: resource 'nodes' is not namespace scoped
no

Did I miss any step? Thanks.

@huikang
Copy link
Member Author

huikang commented Apr 4, 2020

Even I did a role binding as followings

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: workflow-role
rules:
# pod get/watch is used to identify the container IDs of the current pod
# pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - patch
# logs get/watch are used to get the pods logs for script outputs, and for log archival
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  verbs:
  - get
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-workflow-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: workflow-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

kubectl auth can-i get nodes/proxy --as=system:serviceaccount:default:default   -n default
Warning: resource 'nodes' is not namespace scoped
yes

The submited job still returns an error

argo submit --watch https://raw.githubusercontent.com/argoproj/argo/master/examples/hello-world.yaml

failed to save outputs: unexpected non 200 status code: 403, body: Forbidden (user=system:serviceaccount:default:default, verb=get, resource=nodes, subresource=proxy)

@lippertmarkus
Copy link
Member

lippertmarkus commented Apr 22, 2020
edited
Loading

Resource nodes/proxy is non-namespaced (a cluster-wide resource) so instead of a Role and a RoleBinding you need to create a ClusterRole and a ClusterRoleBinding:

For testing you can use

kubectl create clusterrolebinding default-admin --clusterrole=admin --serviceaccount=default:default

but it should also work when you change the kind of your manifests above to ClusterRole / ClusterRoleBinding accordingly.

This is only necessary when using kubelet executor and should be updated in the docs.

@h4wkmoon
Copy link

h4wkmoon commented Jun 26, 2020
edited
Loading

Hi,

For testing you can use

And for non-testing purpose, what should we do ?

Edit: I realised I haven't been very polite. Sorry.
Job scheduling is something we need on kubernetes, and openshift. Thanks.

@alexec alexec mentioned this issue Jun 27, 2020
Closed
12 tasks
@lippertmarkus
Copy link
Member

@h4wkmoon I use the following ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argo-executor
rules:
# pod get/watch is used to identify the container IDs of the current pod
# pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - patch
# logs get/watch are used to get the pods logs for script outputs, and for log archival
- apiGroups:
  - ""
  resources:
  - pods/log
  - nodes/proxy
  verbs:
  - get
  - watch

@alexec alexec mentioned this issue Jul 1, 2020
Merged
12 tasks
@gasgithub
Copy link

gasgithub commented Mar 11, 2021
edited
Loading

This doesnt work even after defining:

kubectl create clusterrolebinding default-admin --clusterrole=admin --serviceaccount=argo:default

I'm still getting:

oc auth can-i get nodes/proxy --as=system:serviceaccount:argo:default
Warning: resource 'nodes' is not namespace scoped
no

and error like:

STEP                  TEMPLATE  PODNAME            DURATION  MESSAGE
 ⚠ hello-world-qfcvk  whalesay  hello-world-qfcvk  7s        failed to save outputs: unexpected non 200 status code: 403, body: Forbidden (user=system:serviceaccount:argo:default, verb=get, resource=nodes, subresource=proxy)

Anything missing?? Could you please give any hints.

Any way to force step pods to run on non default account? As I'm able to configure argo service account to have correct permissions but not the default...

oc auth can-i get nodes/proxy --as=system:serviceaccount:argo:argo
Warning: resource 'nodes' is not namespace scoped
yes

Well, although I changed workflow.spec.serviceAccountName=argo, it didnt help as the error still appears:

STEP                  TEMPLATE  PODNAME            DURATION  MESSAGE
 ⚠ hello-world-m45vg  whalesay  hello-world-m45vg  8s        failed to save outputs: unexpected non 200 status code: 403, body: Forbidden (user=system:serviceaccount:argo:argo, verb=get, resource=nodes, subresource=proxy)

So unfortunately there is still something missing...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
6 participants
@huikang @simster7 @alexec @lippertmarkus @h4wkmoon @gasgithub