Comments (6)
What version of kubernetes are you using and can you provide the clusterrole, clusterrolebinding used for this serviceaccount
from descheduler.
After I done all steps with the README on k8s 1.8.4 and still got this issue.
# kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-12-01T02:40:24Z", GoVersion:"go1.9.2", Compiler
:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-12-01T02:40:24Z", GoVersion:"go1.9.2", Compiler
:"gc", Platform:"linux/amd64"}
# kubectl auth can-i create pods/eviction --as system:serviceaccount:kube-system:descheduler-sa
no
#
And checked with the cluster roles, only system:node role can create pods/eviction, after grant descheduler-sa with system:node, issue solved.
# kubectl create clusterrolebinding descheduler --clusterrole=system:node --user system:serviceaccount:kube-system:descheduler-sa
clusterrolebinding "descheduler" created
# kc logs descheduler-job-wxjjb -n kube-system
I1201 03:22:55.816400 1 reflector.go:198] Starting reflector *v1.Node (1h0m0s) from github.com/kubernetes-incubator/descheduler/pkg/descheduler/node/node.go:83
I1201 03:22:55.818449 1 reflector.go:236] Listing and watching *v1.Node from github.com/kubernetes-incubator/descheduler/pkg/descheduler/node/node.go:83
I1201 03:22:55.918603 1 duplicates.go:50] Processing node: "127.0.0.1"
I1201 03:22:55.924518 1 duplicates.go:54] "ReplicaSet/default/nginx-d5dc44cf7"
I1201 03:22:55.933077 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-hkls8" (<nil>)
I1201 03:22:55.946694 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-jq2qm" (<nil>)
I1201 03:22:55.971466 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-knwdt" (<nil>)
I1201 03:22:55.988597 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-kq2pj" (<nil>)
I1201 03:22:56.006068 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-p4nsp" (<nil>)
I1201 03:22:56.021520 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-qwl9k" (<nil>)
I1201 03:22:56.041642 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-wmmrk" (<nil>)
I1201 03:22:56.072626 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-xc79d" (<nil>)
I1201 03:22:56.090795 1 duplicates.go:62] Evicted pod: "nginx-d5dc44cf7-zspz9" (<nil>)
I1201 03:22:56.102793 1 lownodeutilization.go:142] Node "127.0.0.1" is under utilized with usage: api.ResourceThresholds{"cpu":13, "memory":1.4733866912789215, "pods":17.272727272727273}
I1201 03:22:56.102832 1 lownodeutilization.go:152] allPods:19, nonRemovablePods:1, bePods:18, bPods:0, gPods:0
I1201 03:22:56.102839 1 lownodeutilization.go:65] Criteria for a node under utilization: CPU: 20, Mem: 20, Pods: 20
I1201 03:22:56.102845 1 lownodeutilization.go:72] Total number of underutilized nodes: 1
I1201 03:22:56.102849 1 lownodeutilization.go:80] all nodes are underutilized, nothing to do here
I1201 03:22:56.102856 1 pod_antiaffinity.go:46] Processing node: "127.0.0.1"
from descheduler.
Can confirm I experienced the same when using the ClusterRole specified in the README.
Error
Error when evicting pod: "dc-85b44c59b-qnrlq" (&errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:""}, Status:"Failure", Message:"pods \"dc-85b44c59b-qnrlq\" is forbidden: User \"system:serviceaccount:kube-system:descheduler-sa\" cannot create pods/eviction in the namespace \"default\": Unknown user \"system:serviceaccount:kube-system:descheduler-sa\"", Reason:"Forbidden", Details:(*v1.StatusDetails)(0xc42064a1e0), Code:403}})
Role
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: descheduler-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete"]
Kube version
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.2-gke.0", GitCommit:"52ea03646e64b35a5b092ab32bb529400c296aa6", GitTreeState:"clean", BuildDate:"2017-10-24T23:31:18Z", GoVersion:"go1.8.3b4", Compiler:"gc", Platform:"linux/amd64"}
from descheduler.
@wjiangjay @Evesy Thanks for pointing this out. I created #64 for this. Please let me know if the PR doesn't fix the issue.
from descheduler.
Looks good to me
from descheduler.
Thanks @Evesy for confirming. I am closing this as #64 is merged.
from descheduler.
Related Issues (20)
- Bump Kubernetes dependencies to v1.30.0
- 1.30: Update version references in docs and readme
- Chart not available anymore HOT 2
- Descheduler not evicting anything when deployed with Helm chart as a deployment HOT 2
- CrashLoopBackOff 0.29.0 HOT 5
- 1.30: Update CI in test-infra HOT 1
- Create v0.30.0 tag on master HOT 1
- Promote v0.30.0 docker image
- Helm chart version update to v0.30.0 HOT 1
- Endless descheduling of pods with node affinity preferredDuringSchedulingIgnoredDuringExecution and enough resources available on not tainted node but not on a tainted node
- Default deschedulerPolicy in helm chart causes crashloop HOT 3
- Add a new extension point EvictPlugin to descheduling framework HOT 1
- unknown phase feature HOT 3
- Latest version does not work with helm chart anymore HOT 1
- `failed to convert Descheduler minor version to float` on start HOT 5
- `unknown field nodeAffinityType` error with v0.30.0 HOT 8
- KEP-1421: Make individual NodeFit predicates configurable
- Unable to create a profile err="profile \"test\" configures deschedule extension point of non-existing plugins: map[RemovePodsViolatingTopologySpreadConstraint:{}]" HOT 4
- otel: conflicting Schema URL HOT 4
- Enable Service in Descheduler without ClusterIP as None - Helm Chart HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from descheduler.