FairwindsOps/nova

Nova gets wrong service account

Closed this issue · 3 comments

What happened?

When i tried to login to the kubernetes with service account, nova failed with error access to secrets:

F0626 16:51:08.975361 101 root.go:272] error getting helm releases: could not detect helm 3 charts: list: failed to list: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" at the cluster scope: Azure does not have opinion for this user.

But kubectl works as expected - i have access to the secrets.

What did you expect to happen?

nova can find obsoleted helm's versions

How can we reproduce this?

login to the kubernetes with service account, via kubelogin and run nova find

Version

3.6.5

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

Can you share more details of how you are logging in via service account, and which service account you are trying to use in your command? I am not familiar with kubelogin, and we do not login with service accounts.

We tried to login without kubelogin also, just getting admin credentials using the following command:
az aks get-credentials --resource-group <rg_name> --name <cluster_name> --file <k8s_config_path> --admin

This is executed inside gitlab runner. And unfortunately getting the same error:
F0707 15:48:55.093188 134 root.go:272] error getting helm releases: could not detect helm 3 charts: list: failed to list: secrets is forbidden: User "system:serviceaccount:gitlab:default" cannot list resource "secrets" in API group "" at the cluster scope: Azure does not have opinion for this user.

Also tried to specify the name of the k8s context in nova’s config file. Got the exact same error.

ok, looks like this is something between Docker file config and nova. If I set something like this:

USER user
WORKDIR /home/user
CMD ["nova"]

this isn't work, I have previously mentioned error, but if I explicitly set KUBECONFIG with full path, like
KUBECONFIG=/home/user/.kube/config
it works as expected