box/kube-iptables-tailer

Update the ClusterRole in demo/daemonset.yaml to allow creating Events

ivanfetch opened this issue · 0 comments

ivanfetch commented

The ClusterRole in demo/daemonset.yaml does not allow Events to be created. This causes the following kube-iptables-tailer error:

E0828 01:46:25.194683       1 event.go:203] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"test-b4dd57c68-jx9xk.162f4b4c9eba9a10", GenerateName:"", Namespace:"test", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"Pod", Namespace:"test", Name:"test-b4dd57c68-jx9xk", UID:"362e4f30-e1d1-4990-91a4-4003114647ec", APIVersion:"v1", ResourceVersion:"16813", FieldPath:""}, Reason:"PacketDrop", Message:"Packet dropped when sending traffic to 1.2.3.4 on port 80/TCP", Source:v1.EventSource{Component:"kube-iptables-tailer", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbfca365c4b787010, ext:84567187309, loc:(*time.Location)(0x1b61320)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbfca365c4b787010, ext:84567187309, loc:(*time.Location)(0x1b61320)}}, Count:1, Type:"Warning", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:kube-system:kube-iptables-tailer" cannot create resource "events" in API group "" in the namespace "test"' (will not retry!)

I would update the ClusterRole, as shown in this diff:

    - apiGroups: ["v1"]
      resources: ["pods"]
      verbs: ["get", "list", "watch"]
+   - apiGroups: [""]
+     resources: ["events"]
+     verbs: ["create"]