Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect cluster when specified executor.serviceAccountName but autoMountServiceAccountToken: false #10937

Closed
3 tasks done
maxsxu opened this issue Apr 18, 2023 · 5 comments · Fixed by #10945
Closed
3 tasks done

Unable to connect cluster when specified executor.serviceAccountName but autoMountServiceAccountToken: false #10937

maxsxu opened this issue Apr 18, 2023 · 5 comments · Fixed by #10945
Assignees
@maxsxu
Labels
area/executor area/spec Changes to the workflow specification. area/upstream This is an issue with an upstream dependency, not Argo itself solution/invalid This is incorrect. Also can be used for spam type/support User support issue - likely not a bug

Comments

@maxsxu
Copy link
Contributor

maxsxu commented Apr 18, 2023

Pre-requisites

  • I have double-checked my configuration
  • I can confirm the issues exists when I tested with :latest
  • I'd like to contribute the fix myself (see contributing guide)

What happened/what you expected to happen?

What happened

Occurred below errors while creating resource via container/script template

create-resources-via-container-template: error: failed to create serviceaccount: Post "http://localhost:8080/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create&fieldValidation=Strict": dia
l tcp 127.0.0.1:8080: connect: connection refused

what you expected to happen?

Able to create resource via container/script template successfully.

Version

latest

Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

metadata:
  name: create-resources-via-container-template
  namespace: argo
spec:
  executor:
    serviceAccountName: sa-writer
  serviceAccountName: sa-writer
  automountServiceAccountToken: false
  entrypoint: main
  templates:
    - name: main
      container:
        name: main
        image: bitnami/kubectl
        command:
          - sh
        args:
          - -c
          - |
           kubectl create sa test

Logs from the workflow controller

healthy

Logs from in your workflow's wait container

healthy
@maxsxu
Copy link
Contributor Author

maxsxu commented Apr 18, 2023

Related Discussion: #10885

@maxsxu
Copy link
Contributor Author

maxsxu commented Apr 18, 2023

I think I've figured out why: The main container didn't mount the exec-sa-token volume.

@terrytangyuan
Copy link
Member

Would you like to submit a PR to fix it?

@maxsxu
Copy link
Contributor Author

maxsxu commented Apr 18, 2023

Would you like to submit a PR to fix it?

@terrytangyuan 👍 Please assign this issue to me.

@maxsxu maxsxu mentioned this issue Apr 19, 2023
Merged
@sarabala1979 sarabala1979 added the P3 Low priority label Apr 20, 2023
terrytangyuan pushed a commit that referenced this issue Apr 24, 2023
@maxsxu
fix: unable to connect cluster when AutomountServiceAccountToken is d…
8786b46 
…isabled. Fixes #10937 (#10945)
@terrytangyuan terrytangyuan mentioned this issue May 22, 2023
Closed
44 tasks
terrytangyuan pushed a commit that referenced this issue May 25, 2023
@maxsxu @terrytangyuan
fix: unable to connect cluster when AutomountServiceAccountToken is d…
3dbb9dc 
…isabled. Fixes #10937 (#10945)
JPZ13 pushed a commit to pipekit/argo-workflows that referenced this issue Jul 4, 2023
@maxsxu @JPZ13
fix: unable to connect cluster when AutomountServiceAccountToken is d…
c7bd4b1 
…isabled. Fixes argoproj#10937 (argoproj#10945)
@eduardodbr eduardodbr mentioned this issue Mar 29, 2024
Closed
4 tasks
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this issue May 9, 2024
@maxsxu @dpadhiar
fix: unable to connect cluster when AutomountServiceAccountToken is d…
6224a90 
…isabled. Fixes argoproj#10937 (argoproj#10945)

Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
@agilgur5 agilgur5 changed the title Unable to connect cluster when specified executor serviceAccountName Unable to connect cluster when specified serviceAccountName but autoMountServiceAccountToken: false Oct 26, 2024
@agilgur5 agilgur5 added area/executor area/spec Changes to the workflow specification. type/support User support issue - likely not a bug solution/invalid This is incorrect. Also can be used for spam area/upstream This is an issue with an upstream dependency, not Argo itself and removed type/bug P3 Low priority labels Oct 26, 2024
@agilgur5
Copy link
Contributor

agilgur5 commented Oct 26, 2024
edited
Loading

Per #12848 (comment), this seems to have been incorrectly analyzed: an SA token shouldn't be mounted to the main container if automountServiceAccountToken: false -- you have literally instructed it not to. An error trying to reach the k8s API with no SA token would be correct behavior.

@agilgur5 agilgur5 changed the title Unable to connect cluster when specified serviceAccountName but autoMountServiceAccountToken: false Unable to connect cluster when specified executor.serviceAccountName but autoMountServiceAccountToken: false Oct 26, 2024
@MinyiZ MinyiZ mentioned this issue Oct 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxsxu maxsxu

Labels
area/executor area/spec Changes to the workflow specification. area/upstream This is an issue with an upstream dependency, not Argo itself solution/invalid This is incorrect. Also can be used for spam type/support User support issue - likely not a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: mount SA token when automountServiceAccountToken: false. Fixes #10937 atmaxio/argo-workflows
4 participants
@terrytangyuan @agilgur5 @maxsxu @sarabala1979