You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/22 07:54:54 UTC
[GitHub] [apisix] robertluoxu opened a new issue, #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
robertluoxu opened a new issue, #8552:
URL: https://github.com/apache/apisix/issues/8552
### Description
restart apisix pod, have a error
2022/12/22 07:45:16 [error] 65#65: *324504 [lua] informer_factory.lua:295: list failed, kind: Endpoints, reason: Forbidden, message : {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"endpoints is forbidden: User \"system:serviceaccount:gateway:default\" cannot list resource \"endpoints\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"endpoints"},"code":403}
config.yaml
`
config.yaml
apisix:
node_listen:
- 9080
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
ssl:
enable: true
ssl_trusted_certificate: /etc/kubernetes/sslca.pem
allow_admin:
# - 127.0.0.0/24
etcd:
host:
- https://myetcdip1:2379
- https://myetcdip2:2379
- https://myetcdip3:2379
tls:
cert: /etc/kubernetes/ssl/etcd.pem
key: /etc/kubernetes/ssl/etcdpem
verify: false
nginx_config:
error_log: logs/error.log
error_log_level: warn
discovery:
kubernetes: { }
`
up
`
{
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"discovery_type": "kubernetes",
"pass_host": "pass",
"name": "traffic",
"service_name": "traffic/mew-traffic-webapi:tcp9000",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
}
`
### Environment
- APISIX version (run `apisix version`): 2.15.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhixiongdu027 commented on issue #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
Posted by GitBox <gi...@apache.org>.
zhixiongdu027 commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1364414724
So far, the faults in the use of kubernetes discovery that I have found mainly include four aspects:
1. Using kubernetes discovery in version 2.13, if the configuration value refers to environment variables (the default configuration will be used automatically), it needs to be injected through nginx_config.envs
```
discovery:
kubernetes: { }
nginx_config: # config for render the template to genarate nginx.conf
envs:
- KUBERNETES_SERVICE_HOST
- KUBERNETES_SERVICE_PORT
```
2. The server_name address configuration is incorrect
>
> service_name should match pattern: [namespace]/[name]:[portName]
> namespace: The namespace where the Kubernetes endpoints is located
> name: The name of the Kubernetes endpoints
> portName: The ports.name value in the Kubernetes endpoints, if there is no ports.name, use targetPort, port instead
>
3. ServiceAccount permission is not enough
>
> Q: What permissions do [ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-> account/) require?
>
> A: ServiceAccount requires the permissions of cluster-level [ get, list, watch ] endpoints resources, the declarative
>
4. The proxy network timeout does not match the timeout of the watch apiserver
see issue #8313
you can check against the list
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1364793021
> So far, the faults in the use of kubernetes discovery that I have found mainly include four aspects:
>
> 1. Using kubernetes discovery in version 2.13, if the configuration value refers to environment variables (the default configuration will be used automatically), it needs to be injected through nginx_config.envs
>
> ```
> discovery:
> kubernetes: { }
> nginx_config: # config for render the template to genarate nginx.conf
> envs:
> - KUBERNETES_SERVICE_HOST
> - KUBERNETES_SERVICE_PORT
> ```
>
> 2. The server_name address configuration is incorrect
>
> > service_name should match pattern: [namespace]/[name]:[portName]
> > namespace: The namespace where the Kubernetes endpoints is located
> > name: The name of the Kubernetes endpoints
> > portName: The ports.name value in the Kubernetes endpoints, if there is no ports.name, use targetPort, port instead
>
> 3. ServiceAccount permission is not enough
>
> > Q: What permissions do [ServiceAccount]([https://kubernetes.io/docs/tasks/configure-pod-container/configure-service->](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-%3E) account/) require?
> > A: ServiceAccount requires the permissions of cluster-level [ get, list, watch ] endpoints resources, the declarative
>
> 4. The proxy network timeout does not match the timeout of the watch apiserver
> see issue [help request: As a user, I use kubernetes service discovery ,same apisix instance ,It took a long time to get the changed ip #8313](https://github.com/apache/apisix/issues/8313)
>
> you can check against the list
@zhixiongdu027 That's quite valuable. Could you also submit a PR to add them to docs? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403 [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1870145904
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhixiongdu027 commented on issue #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
Posted by GitBox <gi...@apache.org>.
zhixiongdu027 commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1364824321
The problem of 1 is specific to version 2.13. In versions 2.15 and later, users do not need to inject additional
The problem of 2,3 is described in the current documentation, but many users don't read it before using it.
The problem of 4 need to add feature, currently still on my to-do list #8311
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403 [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1851720130
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8552:
URL: https://github.com/apache/apisix/issues/8552#issuecomment-1362606588
@robertluoxu The service account should have permission for listing, watching, and getting endpoints from API Server.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403 [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #8552: help request: Service discovery uses K8S to start an error report ,endpoints is forbidden 403
URL: https://github.com/apache/apisix/issues/8552
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org