K
Q

openshift Crash Loop Back Off error with turbine-server

3/29/2018

Hi I created a project in Openshift and attempted to add a turbine-server image to it. A Pod was added but I keep receiving the following error in the logs. I am very new to OpenShift and i would appreciate any advice or suggestions as to how to resolve this error. I can supply either further information that is required.

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/booking/pods/turbine-server-2-q7v8l . Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked..

-- LedMan1001
kubernetes
openshift

Similar Questions

fluentd splunk-http-eventcollector plugin Bad Request 400 when using format json
What is the purpose of the capacity parameter on a Persistent Volume that is in ReadOnlyMany mode?
Kubernetes Mounting Hostpath to specific location within container
New AKS cluster unreachable via network (including dashboard)

2 Answers

3/31/2018

Hi thank you for the replies - I was able to resolve the issue by executing the following commands using the oc command line utility:

oc policy add-role-to-group view system:serviceaccounts -n <project>
oc policy add-role-to-group edit system:serviceaccounts -n <project>
-- LedMan1001
Source: StackOverflow
3/30/2018

How to diagnose

Make sure you have configured a service account, role, and role binding to the account. Make sure the service account is set to the pod spec.

spec:
  serviceAccountName: your-service-account

Start monitoring atomic-openshift-node service on the node the pod is deployed and the API server.

$ journalctl -b -f -u atomic-openshift-node

Run the pod and monitor the journald output. You would see "Forbidden".

Jan 28 18:27:38 <hostname> atomic-openshift-node[64298]: 
logging error output: "Forbidden (user=system:serviceaccount:logging:appuser, verb=get, resource=nodes, subresource=proxy)"

This means the service account appuser doest not have the authorisation to do get on the nodes/proxy resource. Then update the role to be able to allow the verb "get" on the resource.

- apiGroups: [""]
  resources:
    - "nodes"
    - "nodes/status"
    - "nodes/log"
    - "nodes/metrics"
    - "nodes/proxy"   <----
    - "nodes/spec"
    - "nodes/stats"
    - "namespaces"
    - "events"
    - "services"
    - "pods"
    - "pods/status"
  verbs: ["get", "list", "view"]

Note that some resources are not default legacy "" group as in Unable to list deployments resources using RBAC.

How to verify the authorisations

To verify who can execute the verb against the resource, for example patch verb against pod.

$ oadm policy who-can patch pod
Namespace: default
Verb:      patch
Resource:  pods

Users:  auser
        system:admin
        system:serviceaccount:cicd:jenkins
Groups: system:cluster-admins
        system:masters

OpenShift vs K8S

OpenShift has command oc policy or oadm policy:

oc policy add-role-to-user <role> <user-name>
oadm policy add-cluster-role-to-user <role> <user-name>

This is the same with K8S role binding. You can use K8S RBAC but the API version in OpenShift needs to be v1 instead of rbac.authorization.k8s.io/v1 in K8s.

References

-- mon
Source: StackOverflow