Comments (7)
Could you elaborate a bit more on what permissions you needed to change and where? Thanks!
from multus-cni.
@kfox1111 Thank you for creating this issue and sharing your solution. I encountered this issue as well, and I spent hours figuring out why, but failed (I think there is no related error/warning log...)
@Elegant996
When I try to run below on one of my kube nodes:
export KUBECONFIG=<kubeconfig in cni-conf.json>; kubectl get crd
It returns:
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:node:<node>" cannot list customresourcedefinitions.apiextensions.k8s.io at the cluster scope
My lazy-solution / quick-workaround is to run the following command for all my kube nodes:
kubectl create clusterrolebinding cluster-admin-binding-<node> --clusterrole=cluster-admin --user=system:node:<node>
I believe there is a much better solution than granting cluster admin permission like above... but I don't know how to configure that since my knowledge on Kubernetes security is very limited.
p.s. since I granted the cluster admin permission, addition permissions may be required if someone want to configure it properly
I +1 on the behaviour where the pod should be updated to fail in this case.
from multus-cni.
@Elegant996 I was in the same boat as @snowmansora when I tested things. Things were broken until I made the node an admin. (Totally the wrong thing to do) That is a separate issue. How to properly configure RBAC for Multus? But this issue is about the behavior where it just did the wrong thing when the permissions were not correct rather then erroring the pod setup.
from multus-cni.
I believe that this might be a documentation issue? There's a possibility that the readme here might need to suggest how one might add the proper RBAC for Multus to access the API.
I'd be happy to contribute a section on this, however I'd definitely like some input on proper permissions for the correct endpoints instead of an over-arching and overly permissive RBAC.
Currently the solution I've been using personally looks rather similar, for example, I create a cluster role such as this, from this source:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: multus-crd-overpowered
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
And then create a binding such as:
kubectl create clusterrolebinding multus-node-thehostname
--clusterrole=multus-crd-overpowered
--user=system:node:thehostname
For each node in the cluster (including the master). As can be seen in these ansible plays.
from multus-cni.
I think a documentation update on a proper RBAC setup for Multus will certainly benefits others.
I also think a behaviour update as suggested by @kfox1111 also make sense.
To clarify, I specified a CRD annotation of what networks I want to use for Multus on my pod's definition, the pod created should match my definition, if not, it should fail. (It is like if I specified some memory limit for my pod, if that cannot be met, pod should fail.)
@dougbtv
FYI, I am using your Ansible playbook to play around with K8s and Multus. (By the way, thank you so much for sharing your playbook, it has been great trying stuffs with it).
The reason I encountered the permission problem even with your "multus-crd-overpowered" is because I used IP in my Ansible inventory, hence "inventory_hostname" in multus-crd/tasks/main.yml is IP. But K8s is expecting hostname, so after I replaced "inventory_hostname" with "ansible_nodename", it works.
from multus-cni.
Back to the original issue for this, If something goes wrong with the kubeconfig file, access to crd, annotation for networks that dont exists. Dont fallback to the default network, because it is not what the person wanted for the pod, I have created an issue #45 with a patch that fixes this.
from multus-cni.
I believe this will be fixed with #100
from multus-cni.
Related Issues (20)
- Deploying v4.0.2-thick to mixed amd64 and arm64 environment HOT 2
- Having a hard time to understand the spec to delegate the IP assignments (and mac address) to pod HOT 2
- Improve k8s event output when the annotation contains an error HOT 3
- Support of Virtual IP or floating IP HOT 1
- not able to see multiple interfaces other than default & loop back HOT 3
- Weird "interface name net1 already exists" on a build from master HOT 2
- should use K8S_POD_NAMESPACE HOT 1
- I installed multus according to the guide, but I found that the image was not pulled normally. What can I do about this? HOT 1
- How to use host-device plugin inside microk8s HOT 1
- Communication between pods running on multiple nodes HOT 3
- multus upgrade from 3.x to 4.x (thin plugin) causes pods start up issues HOT 2
- thin_entrypoint with `--cleanup-config-on-exit=true` is constantly creating and deleting config and kubeconfig HOT 2
- Race issue after node reboot HOT 7
- CNIDeviceInfoFile are not generated once upgraded to v4.0 HOT 3
- Failed to create pod sandbox after installing Multus HOT 1
- Using --multus-master-cni-file-name with thick plugin
- Provide arm64 builds for thick packages HOT 7
- Master CNI file flag option isn't working for thin plugin HOT 2
- IP Range Multiple Allocation in DHCP HOT 1
- MACSEC communication between nodes in K8s environment HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multus-cni.