MetalLB Operator

In K8s 1.26 rbac policies prevent to deploy metallb

Bug #2004093 reported by Andrey Grebennikov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MetalLB Operator
Invalid
Undecided
Unassigned

Bug Description

Deploying Charmed Kuberenetes 1.26/stable (control plane charm 1.26.1, worker 1.25.6).
When trying to deploy metallb-speaker and metallb-controller after a long wait both fail with the following log in the agent:

application-metallb-speaker: 23:37:57 INFO unit.metallb-speaker/0.juju-log Running legacy hooks/install.
application-metallb-speaker: 23:38:02 INFO unit.metallb-speaker/0.juju-log Determine if k8s api supports PolicyV1/beta
application-metallb-speaker: 23:38:02 INFO unit.metallb-speaker/0.juju-log Not creating PSP, doesn't support policy_v1_beta
application-metallb-speaker: 23:38:02 INFO unit.metallb-speaker/0.juju-log Creating namespaced role with K8s API
application-metallb-speaker: 23:38:02 ERROR unit.metallb-speaker/0.juju-log Exception when calling RbacAuthorizationV1Api->create_namespaced_role.
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/src/utils.py", line 156, in create_namespaced_role_with_api
    api_instance.create_namespaced_role(namespace, body, pretty=True)
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/api/rbac_authorization_v1_api.py", line 274, in create_namespaced_role
    (data) = self.create_namespaced_role_with_http_info(namespace, body, **kwargs) # noqa: E501
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/api/rbac_authorization_v1_api.py", line 351, in create_namespaced_role_with_http_info
    return self.api_client.call_api(
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/api_client.py", line 340, in call_api
    return self.__call_api(resource_path, method,
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/api_client.py", line 172, in __call_api
    response_data = self.request(
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/api_client.py", line 382, in request
    return self.rest_client.POST(url,
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/rest.py", line 272, in POST
    return self.request("POST", url,
  File "/var/lib/juju/agents/unit-metallb-speaker-0/charm/venv/kubernetes/client/rest.py", line 231, in request
    raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '09a32a51-f0e6-48b5-b918-0d493f5f3fb4', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '644c20cf-1845-4581-ab1a-9adde3bdc6fa', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'd57ec4a9-5a2c-446b-94c6-338588739ca2', 'Date': 'Sat, 28 Jan 2023 23:38:02 GMT', 'Content-Length': '452'})
HTTP response body: {
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:metallb-system:metallb-speaker-operator\" cannot create resource \"roles\" in API group \"rbac.authorization.k8s.io\" in the namespace \"metallb-system\"",
  "reason": "Forbidden",
  "details": {
    "group": "rbac.authorization.k8s.io",
    "kind": "roles"
  },
  "code": 403
}

Revision history for this message
Andrey Grebennikov (agrebennikov) wrote :

Please disregard - didn't apply the RBAC manifest following the procedure on https://ubuntu.com/kubernetes/docs/metallb#rbac-note

Changed in operator-metallb:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.