RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

aavarghese · 2024-03-06T21:02:04Z

Error below seen in pod csi-attacher-nfsplugin-0 when creating an NFS Dataset.

I0306 20:50:18.008574       1 round_trippers.go:435] curl -v -XPATCH  -H "Content-Type: application/merge-patch+json" -H "User-Agent: csi-attacher/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Accept: application/json, */*" -H "Authorization: Bearer <masked>" 'https://10.96.0.1:443/apis/storage.k8s.io/v1/volumeattachments/csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c/status'
I0306 20:50:18.010396       1 round_trippers.go:454] PATCH https://10.96.0.1:443/apis/storage.k8s.io/v1/volumeattachments/csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c/status 403 Forbidden in 1 milliseconds
I0306 20:50:18.010468       1 request.go:1181] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"volumeattachments.storage.k8s.io \"csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c\" is forbidden: User \"system:serviceaccount:jaas-system-avarghese:csi-attacher-nfs\" cannot patch resource \"volumeattachments/status\" in API group \"storage.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"name":"csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c","group":"storage.k8s.io","kind":"volumeattachments"},"code":403}
W0306 20:50:18.010555       1 trivial_handler.go:57] Error saving VolumeAttachment csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c as attached: volumeattachments.storage.k8s.io "csi-7e6c50e417c19067c5a2c953bcb7463aece946ea95e18b644650ba9d7807b63c" is forbidden: User "system:serviceaccount:jaas-system-avarghese:csi-attacher-nfs" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope

Fix: Needs resource "volumeattachments/status" added to

datashim/src/csi-driver-nfs/chart/templates/csi-attacher-rbac.yaml

Lines 26 to 28 in c5f0a2d

    
           - apiGroups: ["storage.k8s.io"] 
        
             resources: ["volumeattachments"] 
        
             verbs: ["get", "list", "watch", "update", "patch"]

/cc @srikumar003 @starpit

The text was updated successfully, but these errors were encountered:

srikumar003 · 2024-03-06T21:22:58Z

Thanks @aavarghese! We'll have a PR to address it

srikumar003 added bug Something isn't working nfs Issues relating to NFS support in Datashim labels Mar 6, 2024

srikumar003 mentioned this issue Mar 8, 2024

Pod in Pending state, NFS share not attaching #338

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

aavarghese commented Mar 6, 2024

srikumar003 commented Mar 6, 2024

RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" #336

Comments

aavarghese commented Mar 6, 2024

srikumar003 commented Mar 6, 2024