Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing permission: csi-provisioner cannot update resource "persistentvolumes" #231

Closed
darkowlzz opened this issue Feb 17, 2019 · 6 comments
Closed

Missing permission: csi-provisioner cannot update resource "persistentvolumes" #231

darkowlzz opened this issue Feb 17, 2019 · 6 comments

Comments

@darkowlzz
Copy link
Contributor

darkowlzz commented Feb 17, 2019
edited
Loading

I was running the canary version of the provisioner with the hostpath driver and saw these in the logs:

I0217 14:13:45.598432       1 controller.go:1189] delete "pvc-881d9151-32bb-11e9-ba24-024270471d6d": started
I0217 14:13:45.650957       1 controller.go:1217] delete "pvc-881d9151-32bb-11e9-ba24-024270471d6d": volume deleted
I0217 14:13:45.670198       1 controller.go:1254] delete "pvc-881d9151-32bb-11e9-ba24-024270471d6d": failed to remove finalizer for persistentvolume: persistentvolumes "pvc-881d9151-32bb-11e9-ba24-024270471d6d" is forbidden: User "system:serviceaccount:default:csi-provisioner" cannot update resource "persistentvolumes" in API group "" at the cluster scope
W0217 14:13:45.670245       1 controller.go:793] Retrying syncing volume "pvc-881d9151-32bb-11e9-ba24-024270471d6d", failure 10
E0217 14:13:45.670305       1 controller.go:811] error syncing volume "pvc-881d9151-32bb-11e9-ba24-024270471d6d": persistentvolumes "pvc-881d9151-32bb-11e9-ba24-024270471d6d" is forbidden: User "system:serviceaccount:default:csi-provisioner" cannot update resource "persistentvolumes" in API group "" at the cluster scope

Got the rbac rules from csi docs example page.

Adding "update" verb to persistentvolumes resource rule under the ClusterRole fixed it.

I0217 14:16:07.266861       1 controller.go:1189] delete "pvc-7b475573-32bc-11e9-ba24-024270471d6d": started
I0217 14:16:07.320841       1 controller.go:1217] delete "pvc-7b475573-32bc-11e9-ba24-024270471d6d": volume deleted
I0217 14:16:07.331645       1 controller.go:1261] delete "pvc-7b475573-32bc-11e9-ba24-024270471d6d": persistentvolume deleted
I0217 14:16:07.331667       1 controller.go:1263] delete "pvc-7b475573-32bc-11e9-ba24-024270471d6d": succeeded

I can create a PR adding the rule if this should be fixed.
@pohly
Copy link
Contributor

pohly commented Feb 18, 2019

The example is out-dated. The canonical source for RBAC rules is https://github.com/kubernetes-csi/external-provisioner/tree/master/deploy/kubernetes

@pohly
Copy link
Contributor

pohly commented Feb 18, 2019

Having said that, those rules are also outdated. Can you create a PR?

@pohly
Copy link
Contributor

pohly commented Feb 18, 2019

Is this limited to the canary or does it also happen in the latest release?

@cwdsuzhou cwdsuzhou mentioned this issue Feb 25, 2019
Merged
@msau42
Copy link
Collaborator

msau42 commented Feb 26, 2019

This might have been introduced as part of #209, which was cherry-picked to release-1.0, but we haven't cut a release for yet.

@msau42
Copy link
Collaborator

msau42 commented Apr 13, 2019

We reversed #209, so update permissions are no longer needed
/close

@k8s-ci-robot
Copy link
Contributor

@msau42: Closing this issue.

In response to this:

We reversed #209, so update permissions are no longer needed
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

humblec added a commit to humblec/external-provisioner that referenced this issue Aug 3, 2023
@humblec
Squashed 'release-tools/' changes from 4133d1df0..63473cc96
0e6f375 
63473cc96 Merge pull request kubernetes-csi#231 from coulof/bump-go-version-1.20.5
29a5c76c7 Merge pull request kubernetes-csi#228 from mowangdk/chore/adopt_kubernetes_recommand_labels
8dd28211b Update cloudbuild image with go 1.20.5
1df23dba6 Merge pull request kubernetes-csi#230 from msau42/prow
1f92b7e7c Add ginkgo timeout to e2e tests to help catch any stuck tests
c10b67804 Merge pull request kubernetes-csi#227 from coulof/check-sidecar-supported-versions
72984ec0a chore: adopt kubernetes recommand label
b05553510 Header
bd0a10b65 typo
c39d73c33 Add comments
f6491af0e Script to verify EOL sidecar version

git-subtree-dir: release-tools
git-subtree-split: 63473cc96f0c3cbde73a9a1e5844c24f8c7d5dae
kbsonlong pushed a commit to kbsonlong/external-provisioner that referenced this issue Dec 29, 2023
@k8s-ci-robot
Merge pull request kubernetes-csi#231 from pohly/prow-update-master
b401f5a 
master: update release-tools, enable cloud build
kbsonlong pushed a commit to kbsonlong/external-provisioner that referenced this issue Dec 29, 2023
@Sneha-at
Squashed 'release-tools/' changes from 1df23dba..de2fba88
497aa35 
de2fba88 Merge pull request kubernetes-csi#233 from andyzhangx/andyzhangx-patch-1
cee895e1 remove windows 20H2 build since it's EOL long time ago
670bb0ef Merge pull request kubernetes-csi#229 from marosset/fix-codespell-errors
35d5e783 Merge pull request kubernetes-csi#219 from yashsingh74/update-registry
63473cc9 Merge pull request kubernetes-csi#231 from coulof/bump-go-version-1.20.5
29a5c76c Merge pull request kubernetes-csi#228 from mowangdk/chore/adopt_kubernetes_recommand_labels
8dd28211 Update cloudbuild image with go 1.20.5
2b8b80ea fixing some codespell errors
72984ec0 chore: adopt kubernetes recommand label
901bcb5a Update registry k8s.gcr.io -> registry.k8s.io

git-subtree-dir: release-tools
git-subtree-split: de2fba88becec7dec6744355a8ddb0057c5fe2f9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pohly @darkowlzz @k8s-ci-robot @msau42