Kubernetes-Config extension and issue with K8S 1.21 (service accounts)
638 views
Skip to first unread message
KimJohn Quinn
Aug 6, 2021, 6:44:31 PM8/6/21
to Quarkus Development mailing list
Reposting instead of mixing it up with my previous question (which does not seem to be the problem):
We see these errors when deploying our native service using the latest Quarkus and the "kubernetes-config" extension:
- WARN: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring
- ERROR: Failed to start application (with profile my-release) io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.100.0.1/api/v1/namespaces/platform-445-staging/configmaps/my-config. Message: configmaps "my-config" is forbidden: User "system:anonymous" cannot get resource "configmaps" in API group "" in the namespace "platform-445-staging".
We are starting to think this is an issue between our K8S upgrade to 1.21 from 1.19.
- 1.19 - it was working here (no code/config changes)
- 1.20 - dont know if it works or not we only upgraded here to get to latest
- 1.21 - does not work
We know it worked before and as a quick test we deployed it into an older cluster (1.17) and it looks to work as-is.
Our plan, because we are in need, is to try and downgrade (recreate the cluster) to 1.20 and if that does not work go to 1.19.
Maybe it is related to this according to the upgrade log for K8S?
Service account tokens bound to a pod is now a stable feature. The feature gates will be removed in 1.21 release. For more information, refer to notes below on the changelogs.
Log Output:
>kubectl logs my-platform-client-c85ff7478-m7876 -n platform-445-staging
Aug 06, 2021 4:08:37 PM io.fabric8.kubernetes.client.Config
WARN: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.
Aug 06, 2021 4:08:37 PM io.fabric8.kubernetes.client.Config
WARN: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.
Aug 06, 2021 4:08:37 PM io.fabric8.kubernetes.client.Config
WARN: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.
Aug 06, 2021 4:08:37 PM io.quarkus.runtime.ApplicationLifecycleManager run
ERROR: Failed to start application (with profile my-release)
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.100.0.1/api/v1/namespaces/platform-445-staging/configmaps/my-config.
Message: configmaps "my-config" is forbidden: User "system:anonymous" cannot get resource "configmaps" in API group "" in the namespace "platform-445-staging". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=configmaps, name=my-config, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=configmaps "my-config" is forbidden: User "system:anonymous" cannot get resource "configmaps" in API group "" in the namespace "platform-445-staging", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
KimJohn Quinn
Aug 6, 2021, 8:31:35 PM8/6/21
to Quarkus Development mailing list
We just tested real quick with a test 1.20 cluster and it looks to work fine.
Georgios Andrianakis
Aug 17, 2021, 9:15:46 AM8/17/21
to KimJohn Quinn, Quarkus Development mailing list
Have you opened an issue for this?
I won't be back for a few more days so best if this is tracked in an issue
--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/296aa53b-df0b-407d-800e-eac6b987cd92n%40googlegroups.com.
KimJohn Quinn
Aug 17, 2021, 9:20:14 AM8/17/21
to Georgios Andrianakis, Quarkus Development mailing list
I just opened one this morning.
You received this message because you are subscribed to a topic in the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/quarkus-dev/WCpFwRh0wio/unsubscribe.
To unsubscribe from this group and all its topics, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-n_c7ErH9H-FwZ7ODUPD%3DCKjRS0iYAP8QhOLyLM%3D6h6Nw%40mail.gmail.com.
Georgios Andrianakis
Aug 17, 2021, 9:21:17 AM8/17/21
to KimJohn Quinn, Quarkus Development mailing list
👍
Reply all
Reply to author
Forward
0 new messages