Coder Social home page Coder Social logo

Comments (4)

ksudhir007 avatar ksudhir007 commented on May 22, 2024 1

Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?

I see below error even when I specify the namespace using -n option

$ ./mizu tap "shopping-cart-*" -A -n ksudhir007
Tapping pods in all namespaces
warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default"

Removing mizu resources
Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")

Happy to update the documentation once I find the answer.

from kubeshark.

ksudhir007 avatar ksudhir007 commented on May 22, 2024 1

Opened pull request #114

from kubeshark.

RamiBerm avatar RamiBerm commented on May 22, 2024 1

Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?

I see below error even when I specify the namespace using -n option

$ ./mizu tap "shopping-cart-*" -A -n ksudhir007
Tapping pods in all namespaces
warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default"

Removing mizu resources
Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")

Happy to update the documentation once I find the answer.

The minimum permissions needed are (currently for the default namespace, will be configurable later on):

- apiGroups:
  - ""
  - apps
  resources:
  - pods
  - services
  verbs:
  - list
  - get
  - create
  - delete
- apiGroups:
  - ""
  - apps
  resources:
  - daemonsets
  verbs:
  - list
  - get
  - create
  - patch
  - delete

You won't be able to run mizu at all without these resources.

For traffic ip to k8s service name resolving to work you'll need these optional permissions:

- apiGroups:
  - ""
  - apps
  - "rbac.authorization.k8s.io"
  resources:
  - clusterroles
  - clusterrolebindings
  - serviceaccounts
  verbs:
  - get
  - create
  - delete

This will allow mizu to create the necessary rbac resources that give mizu permissions to watch the cluster's pods, services and endpoints in order to resolve traffic ips.

from kubeshark.

ksudhir007 avatar ksudhir007 commented on May 22, 2024

Thanks @RamiBerm - this issue can be closed - both pull requests are merged.

from kubeshark.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.