RBAC mismatch using provider
jeusdi opened this issue · 3 comments
jeusdi commented
I'm trying to apply an straighforward route into openshift. Here my template:
apiVersion: route.openshift.io/v1
kind: Route
spec:
port:
targetPort: ${service_port}
to:
kind: Service
name: ${service_name}
weight: 100
reousrce is:
data "template_file" "spark_ingress_template" {
template = "${file("manifests/ingresses.yaml")}"
vars = {
service_name = "spark"
service_port = 9092
}
}
resource "k8s_manifest" "spark-ingress" {
content = data.template_file.spark_ingress_template.rendered
namespace = var.namespace
}
I'm getting following error message when I'm trying apply plan:
Error: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
on main.tf line 59, in resource "k8s_manifest" "spark-ingress":
59: resource "k8s_manifest" "spark-ingress" {
main problem here is: no RBAC policy matched
.
I've tried to apply it directly:
$ kubectl apply -f ingresses-rendered.yaml
The route is created.
Here traces:
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 2020/05/26 08:56:22 [DEBUG] Kubernetes API Request Details:
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: ---[ REQUEST ]---------------------------------------
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: POST /apis/route.openshift.io/v1/namespaces/iotdevadm/routes HTTP/1.1
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Host: master.si-origin-cluster.t-systems.es:8443
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: User-Agent: HashiCorp/1.0 Terraform/0.12.25
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Length: 166
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Accept: application/json
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Authorization: Bearer Wp6jF3lFnnfMV6mN0llIOPUAUdO03DvfzCjKucBzoNU
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Accept-Encoding: gzip
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "apiVersion": "route.openshift.io/v1",
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "kind": "Route",
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "metadata": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "namespace": "iotdevadm"
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: },
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "spec": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "port": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "targetPort": 9092
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: },
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "to": {
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "kind": "Service",
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "name": "spark"
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: -----------------------------------------------------
After that:
2020/05/26 08:56:22 [DEBUG] k8s_manifest.spark-ingress: apply errored, but we're indicating that via the Error pointer rather than returning it: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/26 08:56:22 [TRACE] EvalMaybeTainted: k8s_manifest.spark-ingress encountered an error during creation, so it is now marked as tainted
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/26 08:56:22 [TRACE] EvalWriteState: removing state object for k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalApplyProvisioners
2020/05/26 08:56:22 [TRACE] EvalApplyProvisioners: k8s_manifest.spark-ingress has no state, so skipping provisioners
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/26 08:56:22 [TRACE] EvalMaybeTainted: k8s_manifest.spark-ingress encountered an error during creation, so it is now marked as tainted
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/26 08:56:22 [TRACE] EvalWriteState: removing state object for k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalIf
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalIf
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteDiff
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalApplyPost
2020/05/26 08:56:22 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [ERROR] <root>: eval: *terraform.EvalSequence, err: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [TRACE] [walkApply] Exiting eval tree: k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] vertex "k8s_manifest.spark-ingress": visit complete
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "provider.k8s (close)" errored, so skipping
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 2020/05/26 08:56:22 [DEBUG] Kubernetes API Response Details:
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: ---[ RESPONSE ]--------------------------------------
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: HTTP/2.0 403 Forbidden
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Length: 324
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Cache-Control: no-store
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Type: application/json
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Date: Tue, 26 May 2020 06:56:24 GMT
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: X-Content-Type-Options: nosniff
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: {
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "kind": "Status",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "apiVersion": "v1",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "metadata": {},
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "status": "Failure",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "message": "routes.route.openshift.io is forbidden: User \"iotdevadm\" cannot create routes.route.openshift.io in the namespace \"iotdevadm\": no RBAC policy matched",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "reason": "Forbidden",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "details": {
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "group": "route.openshift.io",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "kind": "routes"
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: },
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: "code": 403
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: -----------------------------------------------------
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: no state changes since last snapshot
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
on main.tf line 59, in resource "k8s_manifest" "spark-ingress":
59: resource "k8s_manifest" "spark-ingress" {
2020-05-26T08:56:22.145+0200 [DEBUG] plugin: plugin process exited: path=/home/jeusdi/.terraform.d/plugins/terraform-provider-k8s_v0.7.7 pid=5043
2020-05-26T08:56:22.146+0200 [DEBUG] plugin: plugin exited
bonifaido commented
Are you using the same kubeconfig for terraform and kubectl?
jeusdi commented
Sorry. It was my fault.
I've just realized a miswriting on my code!
Sorry!!!
bonifaido commented
No problem, are we free to close this?