Just out of interest, how would one go about assigning permissions to a pod to be able to perform the ConfigMap lookup ? I've not found much by way of documentation so far.
Cheers On 30 June 2016 at 08:25, Lewis Shobbrook < [email protected]> wrote: > Thanks for the quick response. > > We were attempting a lookup, but will pursuit the mount option. > > Cheers > > > On 30 June 2016 at 01:11, Luke Meyer <[email protected]> wrote: > >> former, latter... they're just words right? yeah. >> >> On Wed, Jun 29, 2016 at 11:08 AM, Jordan Liggitt <[email protected]> >> wrote: >> >>> Other way around... mounting a config map doesn't require the service >>> account to have special permissions. Reading a configmap via an API call >>> from within a pod does. >>> >>> On Wed, Jun 29, 2016 at 10:58 AM, Luke Meyer <[email protected]> wrote: >>> >>>> Are you trying to mount the configmap or read from it? The latter does >>>> not require any extra role for the pod service account. >>>> >>>> On Wed, Jun 29, 2016 at 8:46 AM, Lewis Shobbrook < >>>> [email protected]> wrote: >>>> >>>>> Hi Guys, >>>>> Having some trouble with configmaps with our pods. >>>>> >>>>> In the pods logs we see the following... >>>>> >>>>> 2016-06-28 02:45:55.055 [INFO] [0000-main] >>>>> [au.com.consealed.service.interfac.config.SpringConfig] >>>>> ConfigMapConfigProperties: ppe >>>>> 2016-06-28 02:46:46.046 [WARN] [0000-main] >>>>> [io.fabric8.spring.cloud.kubernetes.config.ConfigMapPropertySource] >>>>> Can't read configMap with name: [ppe] in namespace:[dev]. Ignoring >>>>> io.fabric8.kubernetes.client.KubernetesClientException: Failure >>>>> executing: GET at: >>>>> https://kubernetes.default.svc/api/v1/namespaces/dev/configmaps/ppe. >>>>> Message: Forbidden!Configured service account doesn't have access. Service >>>>> account may have been revoked. >>>>> >>>>> From oc rsh ... >>>>> >>>>> sh-4.2$ curl -k -H "Authorization: oAuth XXX" >>>>> https://kubernetes.default.svc/api/v1/namespaces/dev/configmap >>>>> { >>>>> "kind": "Status", >>>>> "apiVersion": "v1", >>>>> "metadata": {}, >>>>> "status": "Failure", >>>>> "message": "User \"system:anonymous\" cannot get configmaps in project >>>>> \"dev\"", >>>>> "reason": "Forbidden", >>>>> "details": { >>>>> "name": "ppe", >>>>> "kind": "configmaps" >>>>> }, >>>>> "code": 403 >>>>> } >>>>> >>>>> I'm pretty green with this, but what do I need to do to provide a pod >>>>> within the the same namespace the correct access to the configmap? >>>>> I can see secrets are mounted correctly within /run/secrets/ >>>>> kubernetes.io/serviceaccount/ within the pod >>>>> >>>>> oc version >>>>> oc v1.2.0-rc1 >>>>> kubernetes v1.2.0-36-g4a3f9c5 >>>>> >>>>> Cheers >>>>> >>>>> Lew >>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> users mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
