Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kill-host-pods permission error after upgrade to 1.32 #4802

Open
sbidoul opened this issue Dec 27, 2024 · 0 comments
Open

kill-host-pods permission error after upgrade to 1.32 #4802

sbidoul opened this issue Dec 27, 2024 · 0 comments

Comments

@sbidoul
Copy link

sbidoul commented Dec 27, 2024

After upgrade to 1.32 the following error is logged every 5 seconds:

Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008949]: Error from server (Forbidden): pods is forbidden: User "system:node:myhostname" cannot list resource "pods" in API group "" at the cluster scope: can only list/watch pods with spec.nodeName field selector
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]: Traceback (most recent call last):
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/scripts/kill-host-pods.py", line 104, in <module>
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     main()
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3/dist-packages/click/core.py", line 764, in __call__
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     return self.main(*args, **kwargs)
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3/dist-packages/click/core.py", line 717, in main
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     rv = self.invoke(ctx)
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     return ctx.invoke(self.callback, **ctx.params)
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     return callback(*args, **kwargs)
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/scripts/kill-host-pods.py", line 84, in main
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     out = subprocess.check_output([*KUBECTL, "get", "pod", "-o", "json", *selector])
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3.8/subprocess.py", line 415, in check_output
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:   File "/snap/microk8s/7537/usr/lib/python3.8/subprocess.py", line 516, in run
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]:     raise CalledProcessError(retcode, process.args,
Dec 27 10:50:35 myhostname microk8s.daemon-apiserver-kicker[2008890]: subprocess.CalledProcessError: Command '['/snap/microk8s/7537/kubectl', '--kubeconfig=/var/snap/microk8s/7537/credentials/kubelet.config', 'get', 'pod', '-o', 'json', '-A']' returned non-zero exit status 1.

Adding AuthorizeNodeWithSelectors=false to --feature-gates in /var/snap/microk8s/current/args/kube-api-server silenced the error.

Is this an actual bug in 1.32, or could it be something with the configuration of my cluster?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sbidoul