error retrieving resource lock default/iscsi-targetd: endpoints "iscsi-targetd" is forbidden: User "system:serviceaccount:default:iscsi-provisioner" cannot get resource "endpoints" in API group "" in the namespace "default"

Question

error retrieving resource lock default/iscsi-targetd: endpoints "iscsi-targetd" is forbidden: User "system:serviceaccount:default:iscsi-provisioner" cannot get resource "endpoints" in API group "" in the namespace "default"

ArturBumbu opened this issue 5 years ago · 2 comments

Followed instructions (https://github.com/kubernetes-incubator/external-storage/tree/master/iscsi/targetd/kubernetes), applied RBAC yaml. But getting this in the iscsi-targetd logs:

time="2020-05-06T12:36:46Z" level=debug msg="targed URL http://admin:ciao@192.168.1.190:18700/targetrpc"
time="2020-05-06T12:36:46Z" level=debug msg="iscsi provisioner created"
time="2020-05-06T12:36:46Z" level=debug msg="iscsi controller created, running forever..."
ERROR: logging before flag.Parse: I0506 12:36:46.974668 1 leaderelection.go:187] attempting to acquire leader lease default/iscsi-targetd...
ERROR: logging before flag.Parse: E0506 12:36:46.975808 1 leaderelection.go:252] error retrieving resource lock default/iscsi-targetd: endpoints "iscsi-targetd" is forbidden: User "system:serviceaccount:default:iscsi-provisioner" cannot get resource "endpoints" in API group "" in the namespace "default"
ERROR: logging before flag.Parse: E0506 12:36:50.428116 1 leaderelection.go:252] error retrieving resource lock default/iscsi-targetd: endpoints "iscsi-targetd" is forbidden: User "system:serviceaccount:default:iscsi-provisioner" cannot get resource "endpoints" in API group "" in the namespace "default"

Deployed into default namespace.

Any help is much appreciated!

Answer 1 · 2020-06-17T02:16:27.000Z

I had this same error. It's a permission problem for the Service Account you created. I temporarily worked around the issue by created a new role with wildcard privileges and the binding the role to the Service Account in the iscsi-provisioner project. Hope this helps you get by this error temporarily. I've been roadblocked getting it to actually provision a PVC for a few hours now...

kind: Role
metadata:
  name: choose-a-role-name-here
  namespace: iscsi-provisioner
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Answer 2 · 2020-08-07T10:42:05.000Z

Thanks for reporting the issue!

This repo is no longer being maintained and we are in the process of archiving this repo. Please see kubernetes/org#1563 for more details.

If your issue relates to nfs provisioners, please create a new issue in https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner or https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner.

Going to close this issue in order to archive this repo. Apologies for the churn and thanks for your patience! 🙏