Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Spurious access to deployment.extensions API from deployments.apps
See original GitHub issueDescribe the bug
This is an issue that is really puzzling me.
In the Keycloak operator, only when deploying it with OLM this call:
client
.apps()
.deployments()
.inNamespace(getNamespace())
.withName(getName())
.get();
throws an exception:
cannot get resource "deployments" in API group "extensions"
We are not giving such permissions but the very same docker image deployed without OLM works without any issue.
I checked the environment variables, and, as far as I can tell, there are no differences.
Is the openshift-client doing any additional call to extensions.deployments in case it detects some specific CRDs?
I’m running out of ideas and any help in debugging this issue is very welcome 🙏 .
Fabric8 Kubernetes Client version
other (please specify in additional context)
Steps to reproduce
Deploy the Keycloak operator using OLM instead of plain resources.
Expected behavior
The Kubernetes client should behave consistently.
Runtime
minikube
Kubernetes API Server version
1.22.3@latest
Environment
macOS, other (please specify in additional context)
Fabric8 Kubernetes Client Logs
2022-03-23 18:27:14,557 ERROR [org.key.ope.v2a.KeycloakController] (EventHandler-keycloakcontroller) --- Error reconciling: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/apis/apps/v1/namespaces/default/deployments/example-kc. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. deployments.extensions "example-kc" is forbidden: User "system:serviceaccount:default:keycloak-operator" cannot get resource "deployments" in API group "extensions" in the namespace "default".
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:683)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:662)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:611)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:556)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:519)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:488)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:458)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:696)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:182)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:149)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:83)
at org.keycloak.operator.v2alpha1.KeycloakDeployment.fetchExistingDeployment(KeycloakDeployment.java:114)
at org.keycloak.operator.v2alpha1.KeycloakDeployment.<init>(KeycloakDeployment.java:75)
at org.keycloak.operator.v2alpha1.KeycloakController.reconcile(KeycloakController.java:105)
at org.keycloak.operator.v2alpha1.KeycloakController.reconcile(KeycloakController.java:52)
at org.keycloak.operator.v2alpha1.KeycloakController_ClientProxy.reconcile(Unknown Source)
at io.javaoperatorsdk.operator.processing.Controller$2.execute(Controller.java:101)
at io.javaoperatorsdk.operator.processing.Controller$2.execute(Controller.java:76)
at io.javaoperatorsdk.operator.api.monitoring.Metrics.timeControllerExecution(Metrics.java:34)
at io.javaoperatorsdk.operator.processing.Controller.reconcile(Controller.java:75)
at io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.reconcileExecution(ReconciliationDispatcher.java:151)
at io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleReconcile(ReconciliationDispatcher.java:117)
at io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleDispatch(ReconciliationDispatcher.java:82)
at io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleExecution(ReconciliationDispatcher.java:51)
at io.javaoperatorsdk.operator.processing.event.EventProcessor$ControllerExecution.run(EventProcessor.java:385)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Additional context
Client version: 5.11.2
Using minikube + OLM
Issue Analytics
- State:
- Created a year ago
- Comments:13 (12 by maintainers)
Top Results From Across the Web
Deployment resource appear as in "apps" instead of ... - GitHub
Hi, I think there is a wrong information in the documentation in the Kubernetes API documentation (This is only version 1.11 that I...
Read more >Deploying Runtime Extensions - The Cluster API Book
Cluster API requires that each Runtime Extension must be deployed using an endpoint accessible from the Cluster API controllers. The recommended deployment ......
Read more >Deployments - Extensions - Elastic
The extensions API supports two types of usage patterns. A). Specify a download_url , http or https URL, where the extension is currently...
Read more >Microsoft Teams apps permissions and considerations
In this article. Global app permissions and considerations; Bots and messaging extensions; Tabs; Connectors; Outgoing webhooks.
Read more >Deploying and Scaling Microservices with Docker and ...
... with Docker Compose) - Let's see how we would deploy our app on Kubernetes! ... :EN:- Overview of Kubernetes API extensions :FR:-...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
If we can’t remove this interceptor for 6.0, I’d vote for at least making it disabled by default.
My understanding is that it’s always installed by default. Is it a timing issue with the existence of the deployment? If it exists then you won’t see this exception regardless.