Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jenkins has insufficient RBAC permissions #359

Closed
Nuru opened this issue May 3, 2020 · 7 comments
Closed

Jenkins has insufficient RBAC permissions #359

Nuru opened this issue May 3, 2020 · 7 comments
Labels
bug Something isn't working

Comments

@Nuru
Copy link

Nuru commented May 3, 2020
edited
Loading

Expected Behavior

Jenkins is given all needed RBAC permissions

Actual Behavior

Jenkins log indicates an error while launching remote agent using Kubernetes plugin

io.fabric8.kubernetes.client.KubernetesClientException: events is forbidden: User "system:serviceaccount:jenkins:jenkins-operator-jenkins" cannot watch resource "events" in API group "" in the namespace "jenkins"

Steps to Reproduce the Problem

  1. Deploy Jenkins 2.222.3 with kubernetes-operator v0.4.0 using helm chart 0.2.0 onto Kuberentes 1.15.11
  2. Configure Jenkins to use remote Kubernetes pods as agents, following directions here
  3. See build executor pod launch, Jenkins issues error message shown above.
@tomaszsek tomaszsek added the bug Something isn't working label May 3, 2020
@tomaszsek
Copy link

Hi @Nuru,

By default operator configures the Jenkins Kubernetes plugin for you and it should work out of the box. This is https://itnext.io/utilize-jenkins-in-an-auto-scaling-kubernetes-deployment-on-amazon-eks-with-spot-instances-f9159df00aee#6074 configured by the operator.

What version of the Kubernetes plugin did you use? I think the new version may require more permissions. By default Jenkins master have the permissions described here.

Cheers

@Nuru
Copy link
Author

Nuru commented May 3, 2020

@tomaszsek I used the Kubernetes plugin that was installed automatically (I did not specify the plugin at all), which was version 1.25.2.

I certainly agree it should "work out of the box", but it didn't, which is why I opened this issue. The link you provided showing the Jenkins master permissions does not include the permission in question, which is "watch" on "events".

tomaszsek added a commit that referenced this issue May 3, 2020
@tomaszsek
#359 Add watch events for Jenkins(required by Kubernetes plugin)
2a0e2f9
@tomaszsek
Copy link

I've reproduced the error but even with io.fabric8.kubernetes.client.KubernetesClientException: events is forbidden: User "system:serviceaccount:jenkins:jenkins-operator-jenkins" cannot watch resource "events" in API group "" in the namespace "jenkins" in Jenkins logs I was able to run the job successfully.

If you still can't run a job with Kubernetes plugin I think the problem is somewhere else. We will try to narrow the issue. The full logs from the job run and Jenkins might be very useful.

akram pushed a commit to akram/jenkins-operator that referenced this issue May 6, 2020
@tomaszsek @akram
jenkinsci#359 Add watch events for Jenkins(required by Kubernetes plu…
fda4bc1 
…gin)
akram pushed a commit to akram/jenkins-operator that referenced this issue May 6, 2020
@tomaszsek @akram
jenkinsci#359 Add watch events for Jenkins(required by Kubernetes plu…
def63fe 
…gin)
@Nuru
Copy link
Author

Nuru commented May 8, 2020
edited
Loading

Yes, there were other issues preventing the agent launch. Jenkins can launch agents without this permission, but I think it fails at monitoring them in some way, like detecting that new agents have launched before they check in.

@bainss
Copy link

bainss commented Jun 30, 2020

@tomaszsek @akram
I believe the fix applied here to rbac.go should also fix the helm pod creation problems I have #424

Is there a timeline for when these fixes will make it to a release?

@JTarball
Copy link

JTarball commented Sep 5, 2020

Any updates on timelines?

@tomaszsek
Copy link

Fixed in https://github.com/jenkinsci/kubernetes-operator/releases/tag/v0.5.0

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Nuru @bainss @JTarball @tomaszsek