Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snapshot Creation Failed #16

Open
KarasWinds opened this issue Apr 1, 2024 · 1 comment
Open

Snapshot Creation Failed #16

KarasWinds opened this issue Apr 1, 2024 · 1 comment

Comments

@KarasWinds
Copy link

KarasWinds commented Apr 1, 2024
edited 

Name:         snapcontent-b990f54d-704a-48f5-be9c-3bc52bc13683
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  snapshot.storage.k8s.io/v1
Kind:         VolumeSnapshotContent
Metadata:
  Creation Timestamp:  2024-04-01T01:33:27Z
  Finalizers:
    snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection
  Generation:  1
  Managed Fields:
    API Version:  snapshot.storage.k8s.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"snapshot.storage.kubernetes.io/volumesnapshotcontent-bound-protection":
      f:spec:
        .:
        f:deletionPolicy:
        f:driver:
        f:source:
          .:
          f:volumeHandle:
        f:sourceVolumeMode:
        f:volumeSnapshotClassName:
        f:volumeSnapshotRef:
    Manager:         snapshot-controller
    Operation:       Update
    Time:            2024-04-01T01:33:27Z
  Resource Version:  312270323
  UID:               06712699-ddf2-4a67-b4de-9dfdde5714e0
Spec:
  Deletion Policy:  Delete
  Driver:           csi.san.synology.com
  Source:
    Volume Handle:             1007046f-c89d-45e6-9c4b-7d0baec58c25
  Source Volume Mode:          Filesystem
  Volume Snapshot Class Name:  synology-csi-delete
  Volume Snapshot Ref:
    API Version:       snapshot.storage.k8s.io/v1
    Kind:              VolumeSnapshot
    Name:              test
    Namespace:         kube-system
    Resource Version:  312270319
    UID:               b990f54d-704a-48f5-be9c-3bc52bc13683
Events:
  Type     Reason                  Age               From                                  Message
  ----     ------                  ----              ----                                  -------
  Warning  SnapshotCreationFailed  8s (x5 over 21s)  csi-snapshotter csi.san.synology.com  Failed to create snapshot: failed to add VolumeSnapshotBeingCreated annotation on the content snapcontent-b990f54d-704a-48f5-be9c-3bc52bc13683: "snapshot controller failed to update snapcontent-b990f54d-704a-48f5-be9c-3bc52bc13683 on API server: volumesnapshotcontents.snapshot.storage.k8s.io \"snapcontent-b990f54d-704a-48f5-be9c-3bc52bc13683\" is forbidden: User \"system:serviceaccount:system:synology-csi-snapshotter\" cannot patch resource \"volumesnapshotcontents\" in API group \"snapshot.storage.k8s.io\" at the cluster scope"

ClusterRole synology-csi-snapshotter need resources volumesnapshotcontents verbs: patch
@emmetog
Copy link

emmetog commented May 22, 2024

The CSI snapshotter is installed separately from the synology-csi. In the README it says:

Prerequisites

So you'll need to update the rbac of the csi snapshotter to allow synology-csi to access it, it's not an issue with this project.

If you've installed the kubernetes-csi/external-snapshotter as I did then you'll need to update the ClusterRole and ClusterRoleBinding like this:

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # rename if there are conflicts
  name: snapshot-controller-runner
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots/status"]
    verbs: ["update"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: snapshot-controller-role
subjects:
  - kind: ServiceAccount
    name: snapshot-controller
    namespace: kube-system    # TODO: replace with the namespace you want for your controller, e.g. kube-system
  - kind: ServiceAccount
    name: synology-csi-snapshotter
    namespace: synology-csi
roleRef:
  kind: ClusterRole
  # change the name also here if the ClusterRole gets renamed
  name: snapshot-controller-runner
  apiGroup: rbac.authorization.k8s.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emmetog @KarasWinds