Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role and binding type for cluster scope resources issue #1

Open
valentinpelus opened this issue Apr 4, 2024 · 5 comments
Open

Role and binding type for cluster scope resources issue #1

valentinpelus opened this issue Apr 4, 2024 · 5 comments

Comments

@valentinpelus
Copy link
Contributor

Hello :)

I have seen your presentation at Kubecon. It was very intersting and good. I found Crik interesting, was trying it myself today and i faced an issue.
If i recall correctly your are creating a Role and RoleBinding for your helmchart on the controller part.

Shouldn't you create a ClusterRole and ClusterRoleBinding to query cluster's scoped items like nodes ?

Ex :

  • For ClusterRole :
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: crik-node-state-server
  labels:
    app.kubernetes.io/name: crik-node-state-server
    app.kubernetes.io/part-of: crik
rules:
  # Nodes
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  • For ClusterRoleBinding :
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: crik-node-state-server
  labels:
    app.kubernetes.io/name: crik-node-state-server
    app.kubernetes.io/part-of: crik
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: crik-node-state-server
subjects:
  - kind: ServiceAccount
    name: crik-node-state-server
    namespace: default (you attached it to a namespace because your sa is namespace located)

But it is possible that i missed something in your README ofc

Also been facing a strange error when trying to request directly the service to check nodes health with the following curl request :

curl http://crik-node-state-server.default.svc.cluster.local:9376/node-state/gke-gke1-gke-pool1-a1c49759-q185

Same for
curl http://crik-node-state-server.default.svc.cluster.local:9376/nodes/gke-gke1-gke-pool1-a1c49759-q185

Or

curl http://crik-node-state-server.default.svc.cluster.local:9376/node-state

2024/04/04 22:17:48 http: panic serving 10.112.3.156:54588: runtime error: invalid memory address or nil pointer dereference
goroutine 310 [running]:
net/http.(*conn).serve.func1()
	/usr/local/go/src/net/http/server.go:1898 +0xbe
panic({0x1697b80?, 0x26ec9b0?})
	/usr/local/go/src/runtime/panic.go:770 +0x132
sync.(*RWMutex).RLock(...)
	/usr/local/go/src/sync/rwmutex.go:68
github.com/qawolf/crik/internal/controller/node.(*Server).GetNodeState(0xc0001d6084?, {0xc0001d6085?, 0x1ae6e18?})
	/workspace/internal/controller/node/server.go:61 +0x32
github.com/qawolf/crik/internal/controller/node.(*Server).ServeHTTP(0xc0001e5e00, {0x1af97f0, 0xc00010e380}, 0xc000406240)
	/workspace/internal/controller/node/server.go:86 +0x125
net/http.serverHandler.ServeHTTP({0xc0005902a0?}, {0x1af97f0?, 0xc00010e380?}, 0x6?)
	/usr/local/go/src/net/http/server.go:3137 +0x8e
net/http.(*conn).serve(0xc00013d4d0, {0x1b06b30, 0xc00048c540})
	/usr/local/go/src/net/http/server.go:2039 +0x5e8
created by net/http.(*Server).Serve in goroutine 33
	/usr/local/go/src/net/http/server.go:3285 +0x4b4

Do you have any idea ?
@valentinpelus
Copy link
Contributor Author

@muvaf did you had the opportunity to look at my issue ?

If i can help :ping: :)

@muvaf muvaf mentioned this issue Apr 27, 2024
Merged
@muvaf
Copy link
Collaborator

muvaf commented Apr 27, 2024
edited

@valentinpelus Sorry, for some reason I didn't get notification for this issue.

Also been facing a strange error when trying to request directly the service to check nodes health with the following curl

Fixed in #2 .

Shouldn't you create a ClusterRole and ClusterRoleBinding to query cluster's scoped items like nodes ?

Yes, the node state server part was ported from an internal controller that watches nodes, seems like I missed some files. Since you already got the YAMLs written out, feel free to open a quick pull request and I can merge it as the first external contribution 🙂

@valentinpelus
Copy link
Contributor Author

Hello @muvaf with pleasure ofc and thank your for your answer and the ref to your PR to adress the second problem :)

The PR is ready at my side but seems i'm not able to push my branch into your repository. Do i have to be entitled to contribute ?

Thank you in advance for your help :)

@muvaf
Copy link
Collaborator

muvaf commented Apr 28, 2024

The PR is ready at my side but seems i'm not able to push my branch into your repository.

@valentinpelus You can fork the repository and push to a branch in your fork and then open a PR with that branch of yours. Here is Github's more detailed instructions.

@valentinpelus valentinpelus mentioned this issue Apr 28, 2024
Merged
@valentinpelus
Copy link
Contributor Author

Oh damned my bad :/

It's all done :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@muvaf @valentinpelus