Leader Elector: endpoints "example" is forbidden.

Question

Leader Elector: endpoints "example" is forbidden.

naeemrashid opened this issue 6 years ago · 3 comments

I tried to run leader elector but failing with crashLoopbackOff.
Logs show the output of

kubectl logs -f leader-elector-765897d8db-86cxw
F0918 09:07:53.969034       6 main.go:108] failed to create election: endpoints "example" is forbidden: User "system:serviceaccount:default:default" cannot get endpoints in the namespace "default"

Is this something related to RBAC.

kubernetes version: v1.10.0

Answer 1 · 2018-10-16T06:18:14.000Z

I also fail with

F1016 14:11:08.905463 8 main.go:108] failed to create election: endpoints "example" is forbidden: User "system:serviceaccount:default:default" cannot get endpoints in the namespace "default"

Answer 2 · 2018-10-16T06:34:15.000Z

`apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: fabric8-rbac
subjects:

kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io`
==========================================
This helped me.. In my case am using different namespace to create endpoint / using leader elector there. Modifined according to my requirement. But if we want default namespace .. we can use above YAML.

Source : fabric8io/fabric8#6840 (comment)

Answer 3 · 2018-10-17T20:23:58.000Z

using cluster-admin is not a recommend approach, I have added RBAC rules for endpoints to get it working.


apiVersion: v1
kind: ServiceAccount
metadata:
  name: leader-elector
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: leader-elector
rules:
- apiGroups:
  - ""
  - "extensions"
  resources:
  - endpoints
  verbs:
  - create
  - delete
  - get
  - patch
  - update
  resources:
  - namespaces
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: leader-elector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: leader-elector
subjects:
- kind: ServiceAccount
# note: the cluster role binding needs to be defined
# for every namespace the operator service account lives in.
  name: leader-elector
  namespace: default