banzaicloud/terraform-provider-k8s

RBAC mismatch using provider

jeusdi opened this issue · 3 comments

I'm trying to apply an straighforward route into openshift. Here my template:

apiVersion: route.openshift.io/v1
kind: Route
spec:
    port:
      targetPort: ${service_port}
    to:
      kind: Service
      name: ${service_name}
      weight: 100

reousrce is:

data "template_file" "spark_ingress_template" {
    template = "${file("manifests/ingresses.yaml")}"

    vars = {
        service_name = "spark"
        service_port = 9092
    }
}

resource "k8s_manifest" "spark-ingress" {
    content = data.template_file.spark_ingress_template.rendered
    namespace = var.namespace
}

I'm getting following error message when I'm trying apply plan:

Error: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched

  on main.tf line 59, in resource "k8s_manifest" "spark-ingress":
  59: resource "k8s_manifest" "spark-ingress" {

main problem here is: no RBAC policy matched.

I've tried to apply it directly:

$ kubectl apply -f ingresses-rendered.yaml

The route is created.

Here traces:

2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 2020/05/26 08:56:22 [DEBUG] Kubernetes API Request Details:
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: ---[ REQUEST ]---------------------------------------
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: POST /apis/route.openshift.io/v1/namespaces/iotdevadm/routes HTTP/1.1
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Host: master.si-origin-cluster.t-systems.es:8443
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: User-Agent: HashiCorp/1.0 Terraform/0.12.25
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Length: 166
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Accept: application/json
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Authorization: Bearer Wp6jF3lFnnfMV6mN0llIOPUAUdO03DvfzCjKucBzoNU
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Accept-Encoding: gzip
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "apiVersion": "route.openshift.io/v1",
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "kind": "Route",
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "metadata": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   "namespace": "iotdevadm"
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  },
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "spec": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   "port": {
2020-05-26T08:56:22.020+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:    "targetPort": 9092
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   },
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   "to": {
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:    "kind": "Service",
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:    "name": "spark"
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 
2020-05-26T08:56:22.051+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: -----------------------------------------------------

After that:

2020/05/26 08:56:22 [DEBUG] k8s_manifest.spark-ingress: apply errored, but we're indicating that via the Error pointer rather than returning it: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/26 08:56:22 [TRACE] EvalMaybeTainted: k8s_manifest.spark-ingress encountered an error during creation, so it is now marked as tainted
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/26 08:56:22 [TRACE] EvalWriteState: removing state object for k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalApplyProvisioners
2020/05/26 08:56:22 [TRACE] EvalApplyProvisioners: k8s_manifest.spark-ingress has no state, so skipping provisioners
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalMaybeTainted
2020/05/26 08:56:22 [TRACE] EvalMaybeTainted: k8s_manifest.spark-ingress encountered an error during creation, so it is now marked as tainted
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/05/26 08:56:22 [TRACE] EvalWriteState: removing state object for k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalIf
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalIf
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalWriteDiff
2020/05/26 08:56:22 [TRACE] <root>: eval: *terraform.EvalApplyPost
2020/05/26 08:56:22 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [ERROR] <root>: eval: *terraform.EvalSequence, err: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched
2020/05/26 08:56:22 [TRACE] [walkApply] Exiting eval tree: k8s_manifest.spark-ingress
2020/05/26 08:56:22 [TRACE] vertex "k8s_manifest.spark-ingress": visit complete
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "provider.k8s (close)" errored, so skipping
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/05/26 08:56:22 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 2020/05/26 08:56:22 [DEBUG] Kubernetes API Response Details:
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: ---[ RESPONSE ]--------------------------------------
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: HTTP/2.0 403 Forbidden
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Length: 324
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Cache-Control: no-store
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Content-Type: application/json
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: Date: Tue, 26 May 2020 06:56:24 GMT
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: X-Content-Type-Options: nosniff
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: {
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "kind": "Status",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "apiVersion": "v1",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "metadata": {},
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "status": "Failure",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "message": "routes.route.openshift.io is forbidden: User \"iotdevadm\" cannot create routes.route.openshift.io in the namespace \"iotdevadm\": no RBAC policy matched",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "reason": "Forbidden",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "details": {
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   "group": "route.openshift.io",
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:   "kind": "routes"
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  },
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7:  "code": 403
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: }
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: 
2020-05-26T08:56:22.119+0200 [DEBUG] plugin.terraform-provider-k8s_v0.7.7: -----------------------------------------------------
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: no state changes since last snapshot
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2020/05/26 08:56:22 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock

Error: routes.route.openshift.io is forbidden: User "iotdevadm" cannot create routes.route.openshift.io in the namespace "iotdevadm": no RBAC policy matched

  on main.tf line 59, in resource "k8s_manifest" "spark-ingress":
  59: resource "k8s_manifest" "spark-ingress" {


2020-05-26T08:56:22.145+0200 [DEBUG] plugin: plugin process exited: path=/home/jeusdi/.terraform.d/plugins/terraform-provider-k8s_v0.7.7 pid=5043
2020-05-26T08:56:22.146+0200 [DEBUG] plugin: plugin exited

Are you using the same kubeconfig for terraform and kubectl?

Sorry. It was my fault.

I've just realized a miswriting on my code!

Sorry!!!

No problem, are we free to close this?