Charmed Kubernetes Bundles

client-keystone-auth is strictly confined and cannot access files

Bug #1871669 reported by Peter Jose De Sousa
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Charmed Kubernetes Bundles
Triaged
High
Unassigned

Bug Description

Hi,

When following https://ubuntu.com/kubernetes/docs/ldap and trying to authenticate with Kubernetes, client-keystone-auth attempts to access the ca-cert defined by the OS_CACERT environment variable defined in my novarc.

The snap is currently defined as strictly confined so cannot access any files outside the snap despite the files permissions.

Workaround:

snap download client-keystone-auth
sudo snap install client-keystone-auth<snapver>.snap --devmode which makes it unconfined.

Cheers!

Peter

Tags: cpe-onsite
George Kraft (cynerva)
Changed in charmed-kubernetes-bundles:
status: New → Confirmed
Revision history for this message
George Kraft (cynerva) wrote :

snap source: https://github.com/kubernetes/cloud-provider-openstack/blob/master/snapcraft.yaml

snap package on launchpad: https://launchpad.net/~cloud-provider-openstack/+snap/client-keystone-auth

George Kraft (cynerva)
Changed in charmed-kubernetes-bundles:
importance: Undecided → Medium
status: Confirmed → Triaged
Jeff Hillman (jhillman)
tags: added: cpe-onsite
George Kraft (cynerva)
Changed in charmed-kubernetes-bundles:
importance: Medium → High
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

One more w/a is available: you can use strictly confined snap, but the CA has to be in /home/<USER>/snap/client-keystone-auth/ ... directory:

ubuntu@juju-41d808-k8s-3:~$ /snap/bin/client-keystone-auth --keystone-url=https://keystone.orangebox84.ru:5000/v3 --domain-name=admin_domain --cacert /home/ubuntu/snap/client-keystone-auth/ca/cert.crt
Please enter user name: admin
Please enter project name: admin
Please enter password:
{
 "apiVersion": "client.authentication.k8s.io/v1beta1",
 "kind": "ExecCredential",
 "status": {
  "token": "gAAAAABfNrki1YMtVj_peMFU092fQAiUgIxSuxOoeykcjNf8U6sL1Qp-Axdw8ulJVtrw_1KzvKVAgeUjo9NDRcny_kRuXBwmXMzEvXsduyYAX5XrjGCvENHFLMk5ZGaR1jII1thf_lFc7-yTFdIFx2HvuWzMBWNpteOTz_4wRu1WDf9FvnDIBnE",
  "expirationTimestamp": "2020-08-14T17:17:38Z"
 }
}

Revision history for this message
Adam Dyess (addyess) wrote :

this work around from vlgrevtsev actually works, whereas installing the snap as devmode did not.

Revision history for this message
Chris Johnston (cjohnston) wrote :

The snapcraft.yaml has been removed from the repos:

https://github.com/kubernetes/cloud-provider-openstack/issues/1128

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.