Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permission forbidden in read_namespaced_pod_status #993

Closed
dogewzy opened this issue Oct 24, 2019 · 7 comments
Closed

permission forbidden in read_namespaced_pod_status #993

dogewzy opened this issue Oct 24, 2019 · 7 comments
Assignees
@fabianvf
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@dogewzy
Copy link

dogewzy commented Oct 24, 2019

What happened (please include outputs or screenshots):
I use kubernetes python client and I can get all pod info with list_namespaced_pod method , that means the config I use for my client is right and have perimission to the namespace. But I can't get a single pod status with the method 'read_namespaced_pod_status', it reminds me that I don't have the permission

here's my traceback:
Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/case.py", line 59, in testPartExecutor yield File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/case.py", line 615, in run testMethod() File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/mock.py", line 1204, in patched return func(*args, **keywargs) File "/Users/wzy/PycharmProjects/pony/tests/test_k8s_handler.py", line 84, in test_create raise e File "/Users/wzy/PycharmProjects/pony/tests/test_k8s_handler.py", line 81, in test_create status, reason = k8s_handler.getinfo() File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/task_metrics.py", line 275, in wrapped raise e File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/task_metrics.py", line 266, in wrapped ret = f(*args, **kwargs) File "<decorator-gen-11>", line 2, in getinfo File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/prometheus_client/context_managers.py", line 66, in wrapped return func(*args, **kwargs) File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/executors/spark_on_k8s_handler.py", line 35, in wrapped raise ExecutorClientError(str(e)) ETLPlatform.main.exceptions.ExecutorClientError: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Thu, 24 Oct 2019 07:59:13 GMT', 'Content-Length': '330'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"pony-job-gmji0i3o-gmji0i3owc\" is forbidden: User \"system:serviceaccount:spark-dev:spark\" cannot get pods/status in the namespace \"spark-dev\"","reason":"Forbidden","details":{"name":"pony-job-gmji0i3o-gmji0i3owc","kind":"pods"},"code":403}
What you expected to happen:
I should can get a pod's status with read_namespaced_pod_status
How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Kubernetes version (kubectl version):1.10
  • OS (e.g., MacOS 10.13.6):MacOS
  • Python version (python --version):3.7
  • Python client version (pip list | grep kubernetes):1.10
@dogewzy dogewzy added the kind/bug Categorizes issue or PR as related to a bug. label Oct 24, 2019
@dogewzy
Copy link
Author

dogewzy commented Oct 24, 2019
edited
Loading

my code snippt:
`

def getinfo(self):

        print([pod.metadata.name for pod in self.client.list_namespaced_pod(self.namespace).items])
        v1_pod, code, http_header = self.client.read_namespaced_pod_status_with_http_info(self.pod_name, self.namespace)

`
And the method in print is work,and I'm sure the pod is in the namespace

@tomplus
Copy link
Member

tomplus commented Oct 25, 2019

Reading status of resources requires an additional rbac role. In your case you probably don't have read permission to the pods/status resources.

@roycaihw
Copy link
Member

/assign @fabianvf

@fabianvf
Copy link
Contributor

If you just want to get the information from the status of the resource, using theread_namespaced_pod method should work fine, as the whole resource, including the status, is returned. When you use read_namespaced_pod_status, you're trying to access the status subresource directly, which would require you to have an additional RBAC permission for pods/status.

The only difference between the responses for read_namespaced_pod and read_namespaced_pod_status is the metadata.selfLink, which will end with /status for read_namespaced_pod_status.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 27, 2020
@roycaihw
Copy link
Member

/close

@k8s-ci-robot
Copy link
Contributor

@roycaihw: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@DmitriGekhtman DmitriGekhtman mentioned this issue Oct 8, 2020
Merged
6 tasks
@shishichen shishichen mentioned this issue Jun 13, 2024
Merged
benclifford pushed a commit to Parsl/parsl that referenced this issue Jun 14, 2024
@shishichen
Switch the Kubernetes client call to read_namespaced_pod_status() to …
00520e3 
…read_namespaced_pod(), which is functionally the same but requires fewer permissions. (#3487)

Switch the Kubernetes client call to read_namespaced_pod_status() to read_namespaced_pod(), which is functionally the same but requires fewer permissions

This change is based on the comment  kubernetes-client/python#993 (comment). Similar to the user in the reporter of that issue, I was seeing forbidden permission when making the read_namespaced_pod_status() call, and according to the discussion there, this can be fixed by using read_namespaced_pod() instead which is almost exactly the same request/response (except the metadata.selfLink field, which is not used by the parsl code). It seems that the read_namespaced_pod_status() call requires an additional permission on "pods/status", while read_namespaced_pod() does not (I didn't check but I can only assume the latter is using permissions on the pod itself that other parts of the parsl code likely would require as well).

For Google Kubernetes Engine in particular, the predefined "Kubernetes Engine Developer" IAM role grants sufficient permissions for read_namespaced_pod() and everything else needed by parsl but not for read_namespaced_pod_status().
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabianvf fabianvf

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tomplus @fabianvf @roycaihw @dogewzy @k8s-ci-robot @fejta-bot