K
Q

Update deployment from container in Cluster

3/29/2018

I'm trying to update the deployment from the application of Go in Cluster, but it fails with an authorization error.

GKE Master version 1.9.4-gke.1

package main

import (
    "fmt"

    "github.com/pkg/errors"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/rest"
)

func updateReplicas(namespace string, name string, replicas int32) error {
    config, err := rest.InClusterConfig()
    if err != nil {
        return errors.Wrap(err, "failed rest.InClusterConfig")
    }
    clientset, err := kubernetes.NewForConfig(config)
    if err != nil {
        return errors.Wrap(err, "failed kubernetes.NewForConfig")
    }

    deployment, err := clientset.AppsV1().Deployments(namespace).Get(name, metav1.GetOptions{})
    if err != nil {
        fmt.Printf("failed get Deployment %+v\n", err)
        return errors.Wrap(err, "failed get deployment")
    }
    deployment.Spec.Replicas = &replicas
    fmt.Printf("Deployment %v\n", deployment)
    ug, err := clientset.AppsV1().Deployments(deployment.Namespace).Update(deployment)
    if err != nil {
        fmt.Printf("failed update Deployment %+v", err)
        return errors.Wrap(err, "failed update Deployment")
    }
    fmt.Printf("done update deployment %v\n", ug)

    return nil
}

result message

failed get Deployment deployments.apps "land-node" is forbidden: User "system:serviceaccount:default:default" cannot get deployments.apps in the namespace "default": Unknown user "system:serviceaccount:default:default"

I have set the authority as follows, but is it not enough?

deployment-editor.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: deployment-editor
rules:
- apiGroups: [""]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

editor-deployement.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: editor-deployment
  namespace: default
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: deployment-editor
  apiGroup: rbac.authorization.k8s.io
-- sinmetal
google-kubernetes-engine
kubernetes

Similar Questions

Kubernetes deployment - Externalizing log file
Dockerizing Spring boot application for Kubernetes Deployment
why pods not getting incoming connections
openshift Crash Loop Back Off error with turbine-server

1 Answer

3/30/2018

From Unable to list deployments resources using RBAC.

replicasets and deployments exist in the "extensions" and "apps" API groups, not in the legacy "" group

- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
  - update
  - create
  - patch
-- mon
Source: StackOverflow