TimescaleDB Single ServiceAccount missing create:service permission #599
Description
What happened?
Deployed timescaledb-single chart and was receiving multiple restarts of the primary node. Upon inspecting the logs I saw
2023-03-27 21:27:20,165 ERROR: create_config_service failed
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 950, in _create_config_service
if not self._api.create_namespaced_service(self._namespace, body):
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 483, in wrapper
return getattr(self._core_v1_api, func)(*args, **kwargs)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 419, in wrapper
return self._api_client.call_api(method, path, headers, body, **kwargs)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 388, in call_api
return self._handle_server_response(response, _preload_content)
File "/usr/lib/python3/dist-packages/patroni/dcs/kubernetes.py", line 218, in _handle_server_response
raise k8s_client.rest.ApiException(http_resp=response)
patroni.dcs.kubernetes.K8sClient.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '6f61849e-2713-4cf9-960c-1b37f81a857b', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '07f5f817-c1f7-4ea4-9bde-892c11b4ecb0', 'X-Kubernetes-Pf-Prioritylevel-Uid': '9e745d7c-26e9-4dcb-8469-44fcdfbfa5da', 'Date': 'Mon, 27 Mar 2023 21:27:20 GMT', 'Content-Length': '335'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User \"system:serviceaccount:billing-platform:billing-platform-timescaledb\" cannot create resource \"services\" in API group \"\" in the namespace \"billing-platform\"","reason":"Forbidden","details":{"kind":"services"},"code":403}\n'
I manually added privileges to the Role for services and the error went away.
Did you expect to see something different?
That there shouldn't be an error.
How to reproduce it (as minimally and precisely as possible):
Deploy the chart?
Environment
-
Which helm chart and what version are you using?
timescaledb-single 0.30.0 -
What is in your
values.yaml?
timescaledb-single:
replicaCount: 2
secrets:
credentialsSecretName: "billing-platform-timescaledb-patroni"
pgbackrestSecretName: "billing-platform-timescaledb-pgbackrest"
backup:
enabled: true
service:
primary:
type: LoadBalancer
port: 5432
replica:
type: LoadBalancer
port: 5432
persistentVolumes:
data:
enabled: true
size: 250Gi
storageClass: gp3-iops3k
wal:
enabled: true
size: 25Gi
storageClass: gp3-iops3k
resources:
limits:
cpu: 2000m
memory: 8192Mi
requests:
cpu: 2000m
memory: 8192Mi
sharedMemory:
useMount: true
pgBouncer:
enabled: true
port: 6432
config:
max_client_conn: 5000
default_pool_size: 25
prometheus:
enabled: true-
Kubernetes version information:
kubectl version
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.3", GitCommit:"9e644106593f3f4aa98f8a84b23db5fa378900bd", GitTreeState:"clean", BuildDate:"2023-03-15T13:33:11Z", GoVersion:"go1.19.7", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.10-eks-48e63af", GitCommit:"9176fb99b52f8d5ff73d67fea27f3a638f679f8a", GitTreeState:"clean", BuildDate:"2023-01-24T19:17:48Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
- Kubernetes cluster kind:
AWS EKS via terraform
Anything else we need to know?: