aron-ac opened a new issue, #6987:
URL: https://github.com/apache/cloudstack/issues/6987
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Kubernetes Kubeadmin
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
4.17.1.0
~~~
##### CONFIGURATION
<!--
Advanced Networking KVM Zone, Domain Admin User Role in a Project
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
kubernetes 1.24
##### SUMMARY
<!-- Explain the problem/feature briefly -->
It appears https://github.com/apache/cloudstack/issues/6344 started to
address the issue of project based users and kubernetes, but looking at the fix
it looks to have only been applied for auto scaling perhaps.
inside of a project as a domain admin, kubeadmin does not work from inside
the k8s cluster kube.conf using kubectl. I cannot acquire a new IP address for
an ingress controller and presumably cannot complete any tasks as kubeadmin
because looking at cloudstack events, kubeadmin is never called
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
i tested this by creating a k8s cluster as an admin account and from inside
the k8s cluster creating an nginx ingress controller. there was no issue:
```
% kubectl --namespace default get services -o wide -w
nginx-ingress-ingress-nginx-controller
NAME TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-ingress-ingress-nginx-controller LoadBalancer 10.100.126.176
45.38.46.88 80:32279/TCP,443:30353/TCP 25s
app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
```
then i created a project and created a domain admin user for that project
and deployed another k8s cluster and attempted to deploy an nginx ingress
controller and a traefik ingress but the external IP stayed in a pending state:
```
% kubectl --namespace default get services -o wide -w
nginx-ingress-ingress-nginx-controller
NAME TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-ingress-ingress-nginx-controller LoadBalancer 10.98.170.156
<pending> 80:32737/TCP,443:32628/TCP 5m36s
app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
```
looking in the cloudstack events i noticed that with the normal account that
kubeadmin successfully acquired the new pub ip for a load balancer in
cloudstack (nginx ingress in k8s). but in the project account domain admin,
kubeadmin was never recognized.
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
As a project user deploying a k8s cluster I should still be able to use
kubectl and access cloudstack kubeadmin
```
ac-demo % helm install nginx-ingress ingress-nginx/ingress-nginx --set
controller.publishService.enabled=true
NAME: nginx-ingress
LAST DEPLOYED: Tue Oct 25 20:40:16 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
```
then
```
% kubectl --namespace default get services -o wide -w
nginx-ingress-ingress-nginx-controller
NAME TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-ingress-ingress-nginx-controller LoadBalancer 10.100.126.176
45.38.46.88 80:32279/TCP,443:30353/TCP 25s
app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
```
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
```
ac-demo % helm install nginx-ingress ingress-nginx/ingress-nginx --set
controller.publishService.enabled=true
NAME: nginx-ingress
LAST DEPLOYED: Tue Oct 25 20:40:16 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
```
then
```
% kubectl --namespace default get services -o wide -w
nginx-ingress-ingress-nginx-controller
NAME TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-ingress-ingress-nginx-controller LoadBalancer 10.98.170.156
<pending> 80:32737/TCP,443:32628/TCP 5m36s
app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
```
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
