-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permission forbidden in read_namespaced_pod_status #993
Comments
my code snippt:
` |
Reading status of resources requires an additional rbac role. In your case you probably don't have read permission to the pods/status resources. |
/assign @fabianvf |
If you just want to get the information from the status of the resource, using the The only difference between the responses for |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/close |
@roycaihw: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…read_namespaced_pod(), which is functionally the same but requires fewer permissions. (#3487) Switch the Kubernetes client call to read_namespaced_pod_status() to read_namespaced_pod(), which is functionally the same but requires fewer permissions This change is based on the comment kubernetes-client/python#993 (comment). Similar to the user in the reporter of that issue, I was seeing forbidden permission when making the read_namespaced_pod_status() call, and according to the discussion there, this can be fixed by using read_namespaced_pod() instead which is almost exactly the same request/response (except the metadata.selfLink field, which is not used by the parsl code). It seems that the read_namespaced_pod_status() call requires an additional permission on "pods/status", while read_namespaced_pod() does not (I didn't check but I can only assume the latter is using permissions on the pod itself that other parts of the parsl code likely would require as well). For Google Kubernetes Engine in particular, the predefined "Kubernetes Engine Developer" IAM role grants sufficient permissions for read_namespaced_pod() and everything else needed by parsl but not for read_namespaced_pod_status().
What happened (please include outputs or screenshots):
I use kubernetes python client and I can get all pod info with list_namespaced_pod method , that means the config I use for my client is right and have perimission to the namespace. But I can't get a single pod status with the method 'read_namespaced_pod_status', it reminds me that I don't have the permission
here's my traceback:
Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/case.py", line 59, in testPartExecutor yield File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/case.py", line 615, in run testMethod() File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/unittest/mock.py", line 1204, in patched return func(*args, **keywargs) File "/Users/wzy/PycharmProjects/pony/tests/test_k8s_handler.py", line 84, in test_create raise e File "/Users/wzy/PycharmProjects/pony/tests/test_k8s_handler.py", line 81, in test_create status, reason = k8s_handler.getinfo() File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/task_metrics.py", line 275, in wrapped raise e File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/task_metrics.py", line 266, in wrapped ret = f(*args, **kwargs) File "<decorator-gen-11>", line 2, in getinfo File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/prometheus_client/context_managers.py", line 66, in wrapped return func(*args, **kwargs) File "/Users/wzy/PycharmProjects/pony/ETLPlatform/main/executors/spark_on_k8s_handler.py", line 35, in wrapped raise ExecutorClientError(str(e)) ETLPlatform.main.exceptions.ExecutorClientError: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Thu, 24 Oct 2019 07:59:13 GMT', 'Content-Length': '330'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"pony-job-gmji0i3o-gmji0i3owc\" is forbidden: User \"system:serviceaccount:spark-dev:spark\" cannot get pods/status in the namespace \"spark-dev\"","reason":"Forbidden","details":{"name":"pony-job-gmji0i3o-gmji0i3owc","kind":"pods"},"code":403}
What you expected to happen:
I should can get a pod's status with read_namespaced_pod_status
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version
):1.10python --version
):3.7pip list | grep kubernetes
):1.10The text was updated successfully, but these errors were encountered: