Comments (6)
vitality411
commented on June 12, 2024
I have the same issue. As a workaround I extended the ClusterRoleBinding csi-resizer-binding in the csi-controller.yaml manifest by the csi-vcd-node-sa ServiceAccount:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-resizer-binding
subjects:
- kind: ServiceAccount
name: csi-vcd-controller-sa
namespace: kube-system
- kind: ServiceAccount
name: csi-vcd-node-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: csi-resizer-role
apiGroup: rbac.authorization.k8s.io
After that the csi-resizer could list the resources:
csi-vcd-nodeplugin-2tfhc csi-resizer I0502 13:43:08.475791 1 reflector.go:255] Listing and watching *v1.Pod from k8s.io/client-go/informers/factory.go:134
csi-vcd-nodeplugin-2tfhc csi-resizer I0502 13:43:09.879953 1 reflector.go:255] Listing and watching *v1.PersistentVolumeClaim from k8s.io/client-go/informers/factory.go:134
csi-vcd-nodeplugin-2tfhc csi-resizer I0502 13:43:11.936945 1 reflector.go:255] Listing and watching *v1.PersistentVolume from k8s.io/client-go/informers/factory.go:134
from cloud-director-named-disk-csi-driver.
arunmk
commented on June 12, 2024
@0hlov3 @vitality411 could you delete and recreate the resources. Such as:
kubectl delete -f https://raw.githubusercontent.com/vmware/cloud-director-named-disk-csi-driver/1.6.0/manifests/csi-controller.yaml
kubectl apply -f https://raw.githubusercontent.com/vmware/cloud-director-named-disk-csi-driver/1.6.0/manifests/csi-controller.yaml
That should delete the old role and recreate a new one
from cloud-director-named-disk-csi-driver.
0hlov3
commented on June 12, 2024
@0hlov3 @vitality411 could you delete and recreate the resources. Such as:
kubectl delete -f https://raw.githubusercontent.com/vmware/cloud-director-named-disk-csi-driver/1.6.0/manifests/csi-controller.yaml kubectl apply -f https://raw.githubusercontent.com/vmware/cloud-director-named-disk-csi-driver/1.6.0/manifests/csi-controller.yamlThat should delete the old role and recreate a new one
Okay, but it seems that the csi-resizer is in https://github.com/vmware/cloud-director-named-disk-csi-driver/blob/1.6.0/manifests/csi-node.yaml and the csi-nodes are not using the Roles from csi-controller, they are using this Role:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-nodeplugin-role
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]But I will go ahead and give it a try later.
from cloud-director-named-disk-csi-driver.
vitality411
commented on June 12, 2024
@arunmk does not work for me:
csi-vcd-nodeplugin-7s4tr csi-resizer I0503 05:28:11.488060 1 reflector.go:255] Listing and watching *v1.PersistentVolumeClaim from k8s.io/client-go/informers/factory.go:134
csi-vcd-nodeplugin-7s4tr csi-resizer W0503 05:28:11.490523 1 reflector.go:324] k8s.io/client-go/informers/factory.go:134: failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:csi-vcd-node-sa" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope
csi-vcd-nodeplugin-7s4tr csi-resizer E0503 05:28:11.490551 1 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.PersistentVolumeClaim: failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:csi-vcd-node-sa" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope
from cloud-director-named-disk-csi-driver.
arunmk
commented on June 12, 2024
@vitality411 the same should be done with the node manifest also. A delete and reapply. Did you hit the error after doing that?
from cloud-director-named-disk-csi-driver.
vitality411
commented on June 12, 2024
@arunmk Yes, same issue:
csi-vcd-nodeplugin-24z9g csi-resizer I0506 05:14:33.490748 1 reflector.go:255] Listing and watching *v1.Pod from k8s.io/client-go/informers/factory.go:134
csi-vcd-nodeplugin-24z9g csi-resizer W0506 05:14:33.491907 1 reflector.go:324] k8s.io/client-go/informers/factory.go:134: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:csi-vcd-node-sa" cannot list resource "pods" in API group "" at the cluster scope
csi-vcd-nodeplugin-24z9g csi-resizer E0506 05:14:33.491927 1 reflector.go:138] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:csi-vcd-node-sa" cannot list resource "pods" in API group "" at the cluster scope
IMHO the issue is obvious. The csi-vcd-nodeplugin DaemonSet is using the csi-vcd-node-sa ServiceAccount. The ClusterRoleBinding csi-nodeplugin-binding binds the ServiceAccount csi-vcd-node-sa to the ClusterRole csi-nodeplugin-role which only allows access to events resources.
from cloud-director-named-disk-csi-driver.
Related Issues (20)
- CSI volume snapshot HOT 1
- Unable to mount the PVC to the pod in RKE cluster HOT 6
- Can not pull image cloud-director-named-disk-csi-driver from Harbor HOT 3
- SecurityContext problem HOT 7
- Volume metrics HOT 2
- Retag csi images following SemVer syntax HOT 2
- Add support for fsGroup to named-disk-driver
- Increase max number of volumes on a node HOT 1
- Support / documentation for installation on clusters not managed via VCD-CSE HOT 7
- Filesystem XFS is mounted as ext4 (fsType: ext4 / filesystem: xfs) HOT 1
- Prepend cluster name in PVC name HOT 1
- Mount failed: exit status 32 (mount point does not exist) HOT 5
- Are named accross a few organization supported?
- Documentation of necessary Role Rights HOT 1
- Support for IDs inside vcloud-csi-config.yaml
- Pods with volume stuck in ContainerCreating with Multi-Attach error due to dangling volumeattachments
- Attaching a disk uses nodeID to find the VM, which fails if hostname in cluster differs from VM name in VMware HOT 5
- Add priorityClassName to csi-node and csi controller
- Allow dynamic "maxVolumesPerNode" like in vSphere's CSI driver
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-director-named-disk-csi-driver.