Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error from the csi-provisioner containter once CrossNamespaceVolumeDataSource:true is enabled #1746

Closed
rajeeshckr opened this issue Sep 18, 2023 · 2 comments · Fixed by #1757
Closed

Error from the csi-provisioner containter once CrossNamespaceVolumeDataSource:true is enabled #1746

rajeeshckr opened this issue Sep 18, 2023 · 2 comments · Fixed by #1757
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@rajeeshckr
Copy link

/kind bug

When I enabled CrossNamespaceVolumeDataSource feature flag for the csi-provisioner container this way, --set sidecars.provisioner.additionalArgs={--feature-gates=CrossNamespaceVolumeDataSource=true} , it enabled the feature. But started getting this error message.

ebs-csi-controller-6559c897dc-6rwn7 csi-provisioner W0918 01:09:53.994057 1 reflector.go:533] k8s.io/[email protected]/tools/cache/reflector.go:231: failed to list *v1beta1.ReferenceGrant: referencegrants.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:kube-system:ebs-csi-controller-sa" cannot list resource "referencegrants" in API group "gateway.networking.k8s.io" at the cluster scope

Fix is to update this file with

- apiGroups: ["gateway.networking.k8s.io"]
    resources: ["referencegrants"]
    verbs: ["get", "list", "watch"]

As per document

Environment

  • Kubernetes version (use kubectl version):
    WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version. Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.2", GitCommit:"7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647", GitTreeState:"clean", BuildDate:"2023-05-17T14:20:07Z", GoVersion:"go1.20.4", Compiler:"gc", Platform:"darwin/amd64"} Kustomize Version: v5.0.1 Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.7", GitCommit:"84e1fc493a47446df2e155e70fca768d2653a398", GitTreeState:"clean", BuildDate:"2023-07-19T12:16:45Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}
  • Driver version:
    chart_version = "v2.22.0"
    app_version = "v1.22.0"
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 18, 2023
@rajeeshckr
Copy link
Author

I have the changes in my fork

@AndrewSirenko AndrewSirenko mentioned this issue Sep 22, 2023
Merged
@AndrewSirenko
Copy link
Contributor

Hi @rajeeshckr, thanks for bringing this up (and having an example of the changes in your fork, very thoughtful).

Discussed this with the EBS internal team, and because CrossNamespaceVolumeDataSource is an alpha and optional feature, there was some pushback on adding this attacher cluster role rule to the default helm chart.

However, in #1757, I have added "additionalClusterRoleRules" params to each relevant sidecar that would let you easily add this fix in. Tested with:

sidecars:
  provisioner:
    ...
    # Grant additional permissions to external-provisioner
    additionalClusterRoleRules:
    - apiGroups: ["gateway.networking.k8s.io"]
      resources: ["referencegrants"]
      verbs: ["get", "list", "watch"]

Does this satisfy your needs?

@AndrewSirenko AndrewSirenko mentioned this issue Nov 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
3 participants
@rajeeshckr @k8s-ci-robot @AndrewSirenko