Specifying a role in a kubernetes cronjob

12/13/2019

We have a kubernetes cluster with istio proxy running. At first I created a cronjob which reads from database and updates a value if found. It worked fine.

Then it turns out we already had a service that does the database update so I changed the database code into a service call.

conn := dial.Service("service:3550", grpc.WithInsecure())
client := protobuf.NewServiceClient(conn)

client.Update(ctx)

But istio rejects the calls with an RBAC error. It just rejects and doesnt say why.

Is it possible to add a role to a cronjob? How can we do that?

The mTLS meshpolicy is PERMISSIVE.

Kubernetes version is 1.17 and istio version is 1.3

API Version:  authentication.istio.io/v1alpha1
Kind:         MeshPolicy
Metadata:
  Creation Timestamp:  2019-12-05T16:06:08Z
  Generation:          1
  Resource Version:    6578
  Self Link:           /apis/authentication.istio.io/v1alpha1/meshpolicies/default
  UID:                 25f36b0f-1779-11ea-be8c-42010a84006d
Spec:
  Peers:
    Mtls:
      Mode:  PERMISSIVE

The cronjob yaml

Name:                          cronjob
Namespace:                     serve
Labels:                        <none>
Annotations:                   <none>
Schedule:                      */30 * * * *
Concurrency Policy:            Allow
Suspend:                       False
Successful Job History Limit:  1
Failed Job History Limit:      3
Pod Template:
  Labels:  <none>
  Containers:
   service:
    Image:      service:latest
    Port:       <none>
    Host Port:  <none>
    Environment:
      JOB_NAME:                         (v1:metadata.name)
    Mounts:                            <none>
  Volumes:                             <none>
Last Schedule Time:                    Tue, 17 Dec 2019 09:00:00 +0100
Active Jobs:                           <none>
Events:

edit I have turned off RBA for my namespace in ClusterRBACConfig and now it works. So cronjobs are affected by roles is my conclusion then and it should be possible to add a role and call other services.

-- Serve Laurijssen
istio
kubernetes

1 Answer

12/17/2019

The cronjob needs proper permissions in order to run if RBAC is enabled.

One of the solutions in this case would be to add a ServiceAccount to the cronjob configuration file that has enough privileges to execute what it needs to.

Since You already have existing services in the namespace You can check if You have existing ServiceAccount for specific NameSpace by using:

$ kubectl get serviceaccounts -n serve

If there is existing ServiceAccount You can add it into Your cronjob manifest yaml file.

Like in this example:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: adwords-api-scale-up-cron-job
spec:
  schedule: "*/2 * * * *"
  jobTemplate:
    spec:
      activeDeadlineSeconds: 100
      template:
        spec:
          serviceAccountName: scheduled-autoscaler-service-account
          containers:
          - name: adwords-api-scale-up-container
            image: bitnami/kubectl:1.15-debian-9
            command:
              - bash
            args:
              - "-xc"
              - |
                kubectl scale --replicas=2 --v=7 deployment/adwords-api-deployment
            volumeMounts:
            - name: kubectl-config
              mountPath: /.kube/
              readOnly: true
          volumes:
          - name: kubectl-config
            hostPath:
              path: $HOME/.kube # Replace $HOME with an evident path location
          restartPolicy: OnFailure

Then under Pod Template there should be Service Account visable:

$ kubectl describe cronjob adwords-api-scale-up-cron-job
Name:                          adwords-api-scale-up-cron-job
Namespace:                     default
Labels:                        <none>
Annotations:                   kubectl.kubernetes.io/last-applied-configuration:
                                 {"apiVersion":"batch/v1beta1","kind":"CronJob","metadata":{"annotations":{},"name":"adwords-api-scale-up-cron-job","namespace":"default"},...
Schedule:                      */2 * * * *
Concurrency Policy:            Allow
Suspend:                       False
Successful Job History Limit:  3
Failed Job History Limit:      1
Starting Deadline Seconds:     <unset>
Selector:                      <unset>
Parallelism:                   <unset>
Completions:                   <unset>
Active Deadline Seconds:       100s
Pod Template:
  Labels:           <none>
  Service Account:  scheduled-autoscaler-service-account
  Containers:
   adwords-api-scale-up-container:
    Image:      bitnami/kubectl:1.15-debian-9
    Port:       <none>
    Host Port:  <none>
    Command:
      bash
    Args:
      -xc
      kubectl scale --replicas=2 --v=7 deployment/adwords-api-deployment

    Environment:  <none>
    Mounts:
      /.kube/ from kubectl-config (ro)
  Volumes:
   kubectl-config:
    Type:            HostPath (bare host directory volume)
    Path:            $HOME/.kube
    HostPathType:    
Last Schedule Time:  <unset>
Active Jobs:         <none>
Events:              <none>

In case of custom RBAC configuration i suggest referring to kubernetes documentation.

Hope this helps.

-- Piotr Malec
Source: StackOverflow