Nova gets wrong service account
Closed this issue · 3 comments
What happened?
When i tried to login to the kubernetes with service account, nova failed with error access to secrets:
F0626 16:51:08.975361 101 root.go:272] error getting helm releases: could not detect helm 3 charts: list: failed to list: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" at the cluster scope: Azure does not have opinion for this user.
But kubectl works as expected - i have access to the secrets.
What did you expect to happen?
nova can find obsoleted helm's versions
How can we reproduce this?
login to the kubernetes with service account, via kubelogin and run nova find
Version
3.6.5
Search
- I did search for other open and closed issues before opening this.
Code of Conduct
- I agree to follow this project's Code of Conduct
Additional context
No response
Can you share more details of how you are logging in via service account, and which service account you are trying to use in your command? I am not familiar with kubelogin, and we do not login with service accounts.
We tried to login without kubelogin also, just getting admin credentials using the following command:
az aks get-credentials --resource-group <rg_name> --name <cluster_name> --file <k8s_config_path> --admin
This is executed inside gitlab runner. And unfortunately getting the same error:
F0707 15:48:55.093188 134 root.go:272] error getting helm releases: could not detect helm 3 charts: list: failed to list: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" at the cluster scope: Azure does not have opinion for this user.
Also tried to specify the name of the k8s context in nova’s config file. Got the exact same error.
ok, looks like this is something between Docker file config and nova. If I set something like this:
USER user
WORKDIR /home/user
CMD ["nova"]
this isn't work, I have previously mentioned error, but if I explicitly set KUBECONFIG with full path, like
KUBECONFIG=/home/user/.kube/config
it works as expected