Page MenuHomePhabricator
Create Task
Maniphest T331572

maintain-kubeusers container in CrashLoopBackoff preventing new tool creation after 'user-maintainer' ClusterRole changes
Closed, ResolvedPublicBUG REPORT
Actions

Description

[21:28]  <  legoktm> maybe I'm being impatient, but it's taking longer than I expected for the "tour-nyc" tool I created to become... become-able
[21:38]  <    bd808> legoktm: it usually takes 5-10 minutes, but there might be something wrong with maintain-kubeusers?
[21:38]  <  legoktm> hm, we're at ~15min now
[21:38]  <    bd808> yeah, that's a bit too long
[21:39]  <    bd808> now I have to remember where this stuff runs...
[21:39]  <  legoktm> I'm supposed to demo this live in uhh...an hour, but I'm just canabalizing another spare tool I have lying around for now
[21:39]  <  legoktm> so no urgency specifically from me other than it is broken :p
[21:45]  <    bd808> !log admin maintain-kubeusers container in CrashLoopBackoff, investigating

Details

ProjectBranchLines +/-Subject
labs/tools/maintain-kubeusersmaster+1 -1k8s_api: rbac: use 'policy' group
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Wed, Mar 8, 9:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Mar 8, 9:48 PM
bd808 triaged this task as High priority.Wed, Mar 8, 9:49 PM
bd808 moved this task from Inbox to Clinic Duty on the cloud-services-team board.
bd808 added a comment.Wed, Mar 8, 9:52 PM
$ kubectl sudo -n maintain-kubeusers logs maintain-kubeusers-b6c6d7c5c-kh75v
starting a run
Homedir already exists for /data/project/chtholly
Wrote config in /data/project/chtholly/.kube/config
PodSecurityPolicy tool-chtholly-psp already exists
Namespace tool-chtholly already exists
Role tool-chtholly-psp already exists
Could not create toolforge-tfb-psp role for chtholly
Traceback (most recent call last):
  File "/app/maintain_kubeusers.py", line 7, in <module>
    runpy.run_module("maintain_kubeusers", run_name="__main__")
  File "/usr/lib/python3.9/runpy.py", line 228, in run_module
    return _run_code(code, {}, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/app/maintain_kubeusers/__main__.py", line 7, in <module>
    main()
  File "/app/maintain_kubeusers/cli.py", line 162, in main
    new_tools = process_new_users(
  File "/app/maintain_kubeusers/utils.py", line 63, in process_new_users
    k8s_api.add_user_access(user_list[user_name])
  File "/app/maintain_kubeusers/k8s_api.py", line 800, in add_user_access
    self.process_buildpack_rbac(user.name)
  File "/app/maintain_kubeusers/k8s_api.py", line 659, in process_buildpack_rbac
    _ = self.rbac.create_namespaced_role(
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/api/rbac_authorization_v1_api.py", line 324, in create_namespaced_role
    return self.create_namespaced_role_with_http_info(namespace, body, **kwargs)  # noqa: E501
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/api/rbac_authorization_v1_api.py", line 419, in create_namespaced_role_with_http_info
    return self.api_client.call_api(
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 348, in call_api
    return self.__call_api(resource_path, method,
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
    response_data = self.request(
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 391, in request
    return self.rest_client.POST(url,
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/rest.py", line 275, in POST
    return self.request("POST", url,
  File "/app/venv/lib/python3.9/site-packages/kubernetes/client/rest.py", line 234, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': 'e76349e3-a0be-4217-9dea-10b63204e554', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'd77de175-725f-414a-9b4e-8b719e411c2c', 'Date': 'Wed, 08 Mar 2023 21:49:20 GMT', 'Content-Length': '627'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"roles.rbac.authorization.k8s.io \"tfb-chtholly-psp\" is forbidden: user \"system:serviceaccount:maintain-kubeusers:user-maintainer\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:maintain-kubeusers\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"extensions\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"toolforge-tfb-psp\"], Verbs:[\"use\"]}","reason":"Forbidden","details":{"name":"tfb-chtholly-psp","group":"rbac.authorization.k8s.io","kind":"roles"},"code":403}
bd808 added a comment.Wed, Mar 8, 10:15 PM

This seems to be related to T329869: Remove tool RBAC rules for APIs removed in Kubernetes 1.22 and T286856: Upgrade Toolforge Kubernetes to latest 1.22.

I think that rLTMK3e0402542836: rbac: Drop rules for deprecated APIs removed the podsecuritypolicies resource permissions that maintain-kubeusers is still trying to grant at https://gerrit.wikimedia.org/r/plugins/gitiles/labs/tools/maintain-kubeusers/+/refs/heads/master/maintain_kubeusers/k8s_api.py#533.

bd808 added a comment.Wed, Mar 8, 10:30 PM

Quick hack to get things working again:

$ kubectl sudo -n maintain-kubeusers edit ClusterRole user-maintainer
  # Add this back in:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - use
  - delete
$ kubectl sudo -n maintain-kubeusers logs -f maintain-kubeusers-b6c6d7c5c-kh75v
starting a run
Homedir already exists for /data/project/chtholly
Wrote config in /data/project/chtholly/.kube/config
PodSecurityPolicy tool-chtholly-psp already exists
Namespace tool-chtholly already exists
Role tool-chtholly-psp already exists
Provisioned creds for user chtholly
Homedir already exists for /data/project/del-simple-bad-redirects
Wrote config in /data/project/del-simple-bad-redirects/.kube/config
PodSecurityPolicy tool-del-simple-bad-redirects-psp already exists
Namespace tool-del-simple-bad-redirects already exists
Role tool-del-simple-bad-redirects-psp already exists
Provisioned creds for user del-simple-bad-redirects
Homedir already exists for /data/project/tour-nyc
Wrote config in /data/project/tour-nyc/.kube/config
PodSecurityPolicy tool-tour-nyc-psp already exists
Namespace tool-tour-nyc already exists
Role tool-tour-nyc-psp already exists
Provisioned creds for user tour-nyc
Homedir already exists for /data/project/ashleybot
Wrote config in /data/project/ashleybot/.kube/config
Renewed creds for tool ashleybot
Homedir already exists for /data/project/terabot
Wrote config in /data/project/terabot/.kube/config
Renewed creds for tool terabot
finished run, wrote 3 new accounts, disabled 2 accounts, cleaned up 0 accounts
Stashbot added a comment.Wed, Mar 8, 10:31 PM

Mentioned in SAL (#wikimedia-cloud) [2023-03-08T22:31:29Z] <bd808> Live hacked user-maintainer clusterrole to work around breakage in T331572

bd808 added subscribers: taavi, aborrero.Wed, Mar 8, 10:36 PM

The service is working again because I live hacked the missing podsecuritypolicies grants back into the user-maintainer clusterrole, but this will break again as soon as someone runs the helm deploy for maintain-kubeusers.

Hopefully @taavi or @aborrero can figure out what code changes are needed in the maintain-kubeusers python code to match the podsecuritypolicies removal for the pending Kubernetes upgrade.

bd808 renamed this task from maintain-kubeusers container in CrashLoopBackoff preventing new tool creation to maintain-kubeusers container in CrashLoopBackoff preventing new tool creation after 'user-maintainer' ClusterRole changes.Wed, Mar 8, 10:36 PM
bd808 added a parent task: T286856: Upgrade Toolforge Kubernetes to latest 1.22.
taavi claimed this task.Thu, Mar 9, 8:01 AM

Sorry I did not notice that. Looks like it's the creation of the RBAC rule which fails, not the creation of the PSP itself.

gerritbot added a comment.Thu, Mar 9, 9:09 AM

Change 896019 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/tools/maintain-kubeusers@master] k8s_api: rbac: use 'policy' group

https://gerrit.wikimedia.org/r/896019

gerritbot added a project: Patch-For-Review.Thu, Mar 9, 9:09 AM
gerritbot added a comment.Thu, Mar 9, 10:02 AM

Change 896019 merged by jenkins-bot:

[labs/tools/maintain-kubeusers@master] k8s_api: rbac: use 'policy' group

https://gerrit.wikimedia.org/r/896019

taavi mentioned this in rLTMK834807c346aa: k8s_api: rbac: use 'policy' group.Thu, Mar 9, 10:02 AM
aborrero added a comment.Thu, Mar 9, 10:03 AM

I can't explain how is possible the code was working before. PSP were in policy/v1beta1 in 1.21 https://v1-21.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#podsecuritypolicy-v1beta1-policy

Maintenance_bot removed a project: Patch-For-Review.Thu, Mar 9, 10:10 AM
aborrero mentioned this in T331619: toolforge: rbac: change existing roles to reference PSP in the policy group.Thu, Mar 9, 12:17 PM
taavi closed this task as Resolved.Sat, Mar 18, 1:32 PM

This bug is fixed. T331619 is tracking a follow-up.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL