You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2023/01/05 22:53:39 UTC

[GitHub] [cloudstack] nate-ac commented on issue #6987: Project User kubeadmin is not working with project k8s clusters

nate-ac commented on issue #6987:
URL: https://github.com/apache/cloudstack/issues/6987#issuecomment-1372894386

   A little more RCA here:
   
   When a project is created a "PrjAcct-" account is also created and given ownership to the project.  This account is created with the "RO Admin" role.
   
   https://github.com/apache/cloudstack/blob/20306d612928712e5354bad57691b5fe4e1f59a9/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L266
   
   ```
                   //Create an account associated with the project
                   StringBuilder acctNm = new StringBuilder("PrjAcct-");
                   acctNm.append(name).append("-").append(ownerFinal.getDomainId());
   
                   Account projectAccount = _accountMgr.createAccount(acctNm.toString(), Account.Type.PROJECT, null, domainId, null, null, UUID.randomUUID().toString());
   
                   Project project = _projectDao.persist(new ProjectVO(name, displayText, ownerFinal.getDomainId(), projectAccount.getId()));
   
                   //assign owner to the project
                   assignAccountToProject(project, ownerFinal.getId(), ProjectAccount.Role.Admin,
                           Optional.ofNullable(finalUser).map(User::getId).orElse(null),  null);
   
           if (project != null) {
               CallContext.current().setEventDetails("Project id=" + project.getId());
               CallContext.current().putContextParameter(Project.class, project.getUuid());
           }
   ```
   
   Then, a subsequent account is created then added to the project and set as "Domain Admin".  Within the account is the kubeadmin user.  This user makes API calls to setup the nginx ingress controller like shown above.  The API call results in an empty response. 
   
   Changing the "PrjAcct-"  role from "RO Admin" to "Domain Admin" somehow allows the kubeadmin user the access it needs to "see" the resources and interact with them.
   
   So there seems to be something wrong with project accounts accessing the resources that are owned by the "PriAcct-" RO Admin account or the account is being created with insufficient access.
   
   Things we noted while troubleshooting:
   - All resources created in the project are owned by the "PrjAcct-" account
   - The "PriAcct-" account has type = 5 (RO Admin) and role_id = NULL in cloud.account 
   - API calls the kubeadm user made during nginx ingress install & delete:
   
   ```
   assignToLoadBalancerRule
   associateIpAddress
   deleteFirewallRule
   deleteLoadBalancerRule
   disassociateIpAddress
   listFirewallRules
   listLoadBalancerRules
   listNetworks
   listVirtualMachines
   queryAsyncJobResult
   ```
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org