Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm ceph-csi-rbd - not enough permitions #1337

Closed
baznikin opened this issue Aug 7, 2020 · 11 comments
Closed

Helm ceph-csi-rbd - not enough permitions #1337

baznikin opened this issue Aug 7, 2020 · 11 comments
Labels
component/deployment Helm chart, kubernetes templates and configuration Issues/PRs component/rbd Issues related to RBD

Comments

@baznikin
Copy link

baznikin commented Aug 7, 2020

Describe the bug

It is not possible to provision with current (3.0.0) Helm chart version. See Steps to reproduce for details

Environment details

  • Image/version of Ceph CSI driver :
  • Helm chart version : 3.0.0
  • Kernel version :
  • Mounter used for mounting PVC (for cephfs its fuse or kernel. for rbd its
    krbd or rbd-nbd) :
  • Kubernetes cluster version :
  • Ceph cluster version :

Steps to reproduce

  1. I installed ceph-csi-rbd using Helm chart:
    helm install ceph-csi-rbd ceph-csi/ceph-csi-rbd --namespace ceph-csi-rbd -f ceph-csi-rbd.yaml

  2. With tolopogy.enabled=false (default value) i got error about nodes resource

Warning ProvisioningFailed 11m (x13 over 30m) rbd.csi.ceph.com_ceph-csi-rbd-provisioner-dfd44c7b6-5j5xz_00aa056a-c7ad-45c5-9631-1a4e9d984eea failed to get target node: nodes "worker-1-1" is forbidden: User "system:serviceaccount:ceph-csi-rbd:ceph-csi-rbd-provisioner" cannot get resource "nodes" in API group "" at the cluster scope

  1. In order to enable it (see

    ceph-csi/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml

    Line 54 in 23e0874

    {{- if .Values.topology.enabled }}
    ) I set tolopogy.enabled=true, remove ClusterRole ceph-csi-rbd-provisioner-rules and upgrade Helm chart. Got another error:

Warning ProvisioningFailed 2m47s (x10 over 7m2s) rbd.csi.ceph.com_ceph-csi-rbd-provisioner-64cb55db6-zkm9w_dbd3b112-40ac-4ce7-b995-8cc381d6771e failed to provision volume with StorageClass "csi-rbd-sc": error generating accessibility requirements: no topology key found on CSINode worker-1-1

  1. After setting tolopogy.enabled back to false, upgrading chart without deleting ClusterRole ceph-csi-rbd-provisioner-rules (so permitions for nodes remains in place) I got working provisioning:

Normal Provisioning 3m47s rbd.csi.ceph.com_ceph-csi-rbd-provisioner-dfd44c7b6-qnrmw_e39c8074-d8a3-4eda-8c43-b264a9bf9f9c External provisioner is provisioning volume for claim "db/data-redis-redis-ha-server-2"
Normal ExternalProvisioning 3m47s persistentvolume-controller waiting for a volume to be created, either by external provisioner "rbd.csi.ceph.com" or manually created by system administrator
Normal ProvisioningSucceeded 3m47s rbd.csi.ceph.com_ceph-csi-rbd-provisioner-dfd44c7b6-qnrmw_e39c8074-d8a3-4eda-8c43-b264a9bf9f9c Successfully provisioned volume pvc-a5b443c3-cc37-414e-874d-bc288981688a
@nixpanic nixpanic added component/rbd Issues related to RBD component/deployment Helm chart, kubernetes templates and configuration Issues/PRs labels Aug 25, 2020
@Madhu-1
Copy link
Collaborator

Madhu-1 commented Sep 7, 2020

@baznikin in tried to reproduce it with master build am not seeing any issue can you retry with v3.1.0 helm charts, if the issue persists can you provide the deployment, cluster role of rbd? and also the PVC -oyaml output

@baznikin
Copy link
Author

@Madhu-1 sorry, I found workaround for my issue and live with it. My intention was to notify maintainer (who know his software better than me) about found lack of permissions. If you follow my steppes and it didn't reproduce with 3.0.0 then it fixed already and can be closed.

@Madhu-1
Copy link
Collaborator

Madhu-1 commented Dec 4, 2020

closing this as not reproducible

@Madhu-1 Madhu-1 closed this as completed Dec 4, 2020
@XtremeOwnageDotCom
Copy link

As a developer- I understand closing/skipping non-reproducible problems.

As a user- I really hate finding closed tickets like this.

image

@simonliska
Copy link

@XtremeOwnageDotCom Same problem with helm chart version 3.10 on k8s v1.24. Works for me with 3.9.0.

@XtremeOwnageDotCom
Copy link

XtremeOwnageDotCom commented Dec 5, 2023
edited
Loading

The solution, is pretty simple.

You need to edit the cluster roles for ceph.

root@rke-master-1:~/Kubernetes/rke/ceph# kubectl get ClusterRole | grep ceph
ceph-csi-rbd-nodeplugin                                                2023-12-01T03:07:50Z
ceph-csi-rbd-provisioner                                               2023-12-01T03:07:51Z

For each of those roles, you need to add the ability to get nodes.

(Add this)

- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch

There is prob a fancy way of doing this with a patch, but, I did it the simple, stupid way.

kubectl get ClusterRole ceph-csi-rbd-nodeplugin -o yaml > t.yaml && nano t.yaml && kubectl apply -f t.yaml

As a note, 3.10 also has this issue.

@simonliska
Copy link

@XtremeOwnageDotCom #4302

@XtremeOwnageDotCom
Copy link

Until that PR hits a release- here is a patch command to fix the issue.

kubectl patch ClusterRole ceph-csi-rbd-nodeplugin --type=json -p='[{"op":"add","path":"/rules/-","value":{"apiGroups":[""],"resources":["nodes"],"verbs":["get","list","watch"]}}]'

@skliarie
Copy link

I used helm3 on kubernetes 1.25.4, and had to add this to ClusterRole (exactly as if .Values.topology.domainLabels is set):

  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list","watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csinodes"]
    verbs: ["get", "list", "watch"]

otherwise got these errors from provisioner:

E0822 23:13:52.973668 1 reflector.go:150] k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.CSINode: failed to list *v1.CSINode: csinodes.storage.k8s.io is forbidden: User "system:serviceaccount:ceph-csi-rbd:ceph-csi-rbd-provisioner" cannot list resource "csinodes" in API group "storage.k8s.io" at the cluster scope

@iPraveenParihar
Copy link
Contributor

iPraveenParihar commented Aug 26, 2024
edited
Loading

E0822 23:13:52.973668 1 reflector.go:150] k8s.io/client-go/informers/factory.go:160: Failed to watch *v1.CSINode: failed to list *v1.CSINode: csinodes.storage.k8s.io is forbidden: User "system:serviceaccount:ceph-csi-rbd:ceph-csi-rbd-provisioner" cannot list resource "csinodes" in API group "storage.k8s.io" at the cluster scope

@skliarie, #4798 should fix the above issue.
Thanks for reporting.

@laimis9133
Copy link

laimis9133 commented Nov 14, 2024
edited
Loading

Just stepping in: this issue is still present on 3.12.1 chart on v1.27.4+rke2r1 Kubernetes. We faced this after upgrading from 3.9.0.

It took some time to figure out so just a small backtrace below to help out anyone searching:
Kubernetes is not able to provision any new PVC that runs on Ceph RBD (rbd.csi.ceph.com) and will show this description:

Events:
... ... persistentvolume-controller waiting for a volume to be created, either by external provisioner "rbd.csi.ceph.com" or manually created by system administrator

The log trace mentioned here can be found in the ceph-csi-rbd-provisioner pod behind the csi-provisioner container - it will not be visible if the container is not specified as the default logs are from csi-rbdplugin not csi-provisioner in the pod.

Mentioned workarounds solve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/deployment Helm chart, kubernetes templates and configuration Issues/PRs component/rbd Issues related to RBD
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@skliarie @nixpanic @baznikin @XtremeOwnageDotCom @Madhu-1 @iPraveenParihar @simonliska @laimis9133