Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consul sync catalog ClusterRole error "endpoints ${serviceName}" is forbidden #4238

Open
gaeulautumn opened this issue Aug 9, 2024 · 0 comments
Open

Consul sync catalog ClusterRole error "endpoints ${serviceName}" is forbidden #4238

gaeulautumn opened this issue Aug 9, 2024 · 0 comments
Labels
type/bug Something isn't working

Comments

@gaeulautumn
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

After this work, consul catalog sync is not working.

Reproduction Steps

consul-k8s helm chart v1.4.0

  1. When running helm install with the following values.yml:
consul:
  global:
    image: {consul:1.18.0}
    imageK8S: {consul-k8s-control-plane:1.4.0}
    imageConsulDataplane: {consul-dataplane:1.4.0}
    imagePullSecrets:
      - name: {secret}
    datacenter: {datacenter}
    logLevel: "debug"
    gossipEncryption:
      secretName: consul.gossip.encrypt
      secretKey: encrypt

...

  syncCatalog:
    enabled: true
    default: false
    toK8S: false
    addK8SNamespaceSuffix: false
    aclSyncToken:
      secretName: consul.acl.token
      secretKey: sync
    ingress:
      enabled: true
  connectInject:
    enabled: false

Logs

[WARN]  to-consul/source: error loading initial endpoints: key={namespace/serviceId} err="endpoints \"{serviceId}\" is forbidden: User \"system:serviceaccount:consul:{name}\" cannot get resource \"endpoints\" in API group \"\" in the namespace \"{namespace}\""

(I replaced domain specific words into variables)

Expected behavior

Services in k8s should be registered to consul but wasn't.

Environment details

Additional Context

I was using consul-k8s helm chart v1.4.0 and consul catalog sync worked fine.
But when I try to deploy consul catalog sync using consul-k8s helm chart v1.5.1, it failed.

So I added ClusterRole like below, then it worked.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: consul
  name: {name}
rules:
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - list
      - watch
      - update
      - patch
      - delete
      - create

But it should work without custom defined ClusterRole.

And I found this works which might be the cause.

Did I miss something or is this a bug?
@gaeulautumn gaeulautumn added the type/bug Something isn't working label Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gaeulautumn