-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forbidden!Configured service account doesn't have access. Service account may have been revoked.. #114
Comments
Attempt
ResultSame error |
It seems that the error occurs during jenkins attempt to create a slave pod.
what's the output of `oc oadm policy who-can create pod` ?
…On Mon, Feb 13, 2017 at 5:48 PM, magick93 ***@***.***> wrote:
Attempt
oadm policy add-role-to-user view system:serviceaccount:default:jenkins
Result
Same error
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAYiWLYcszjYosDjhiLoCBpGupcLzD09ks5rcHs_gaJpZM4L_Uzh>
.
--
*Ioannis Canellos*
*Blog: http://iocanel.blogspot.com <http://iocanel.blogspot.com/>*
*Twitter: iocanel*
|
It's also worth checking if it's this issue https://issues.jenkins-ci.org/browse/JENKINS-41388 TD;DR check the jenkins configuration page and make sure the kubernetes plugin namespace field has the value that matches the namespace jenkins is running in. |
|
Ok well that rules my theory out then - back to @iocanel line of thought |
More infoThe error is:
The lines How do I remove this? |
It's incorrect, but it doesn't seem to cause any issues.
…On Mon, Feb 13, 2017 at 6:12 PM, magick93 ***@***.***> wrote:
More info
The error is:
Feb 13, 2017 3:59:19 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
SEVERE: Failed to terminate pod for slave kubernetes-b2102a9dbce645bab1bd6838a748e2a1-198b7ea6eb33b
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://kubernetes.default/api/v1/namespaces/default/pods/kubernetes-b2102a9dbce645bab1bd6838a748e2a1-198b7ea6eb33b. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked..
# oadm policy who-can delete pod
Namespace: default
Verb: delete
Resource: pods
Users: admin
developer
system:admin
system:serviceaccount:default:configmapcontroller
system:serviceaccount:default:exposecontroller
system:serviceaccount:default:fabric8
system:serviceaccount:default:jenkins
system:serviceaccount:jenkins:default
system:serviceaccount:jenkins:jenkins
system:serviceaccount:openshift-infra:build-controller
system:serviceaccount:openshift-infra:daemonset-controller
system:serviceaccount:openshift-infra:deploymentconfig-controller
system:serviceaccount:openshift-infra:gc-controller
system:serviceaccount:openshift-infra:job-controller
system:serviceaccount:openshift-infra:namespace-controller
system:serviceaccount:openshift-infra:pet-set-controller
system:serviceaccount:openshift-infra:pv-binder-controller
system:serviceaccount:openshift-infra:pv-recycler-controller
system:serviceaccount:openshift-infra:replicaset-controller
system:serviceaccount:openshift-infra:replication-controller
system:serviceaccount:test-docker-push:configmapcontroller
system:serviceaccount:test-docker-push:exposecontroller
system:serviceaccount:test-docker-push:fabric8
system:serviceaccount:test-docker-push:jenkins
system:serviceaccount:test1:configmapcontroller
system:serviceaccount:test1:exposecontroller
system:serviceaccount:test1:fabric8
system:serviceaccount:test1:jenkins
system:serviceaccount:test:configmapcontroller
system:serviceaccount:test:exposecontroller
system:serviceaccount:test:fabric8
system:serviceaccount:test:jenkins
Groups: system:cluster-admins
system:masters
system:nodes
The line system:serviceaccount:jenkins:default look incorrect. Agree?
How do I remove this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAYiWMwHXkcdNfx-q5GJpeh6dp-PMLyrks5rcIDxgaJpZM4L_Uzh>
.
--
*Ioannis Canellos*
*Blog: http://iocanel.blogspot.com <http://iocanel.blogspot.com/>*
*Twitter: iocanel*
|
You could try and bounce the jenkins master pod and see if a new secret is mounted for the service account? |
Yes, tried that. No joy. |
Just tried restarting the node, and a minor change, now the error is:
|
any luck with this? |
Hey, we're seeing the same issue.
|
Actually found the root cause of our issue: Solution:
|
@moortimis , how to find the limit-name and quota-name? could you please share the command thanks. |
When trying to run a Jenkins job we are now getting:
Its very likely that this is a result of a change we have made. But we have documented most, if not all changes, and reviewed the Jenkins scc, and cannot see anything obvious.
Jenkins SCC
The text was updated successfully, but these errors were encountered: