Great thanks Jordan. On 30 June 2016 at 09:14, Jordan Liggitt <[email protected]> wrote:
> You need to grant the pod's service account a role within the project > capable of viewing config maps (like `oc policy add-role-to-user view -n > dev -z myserviceaccount`) > > > On Jun 29, 2016, at 7:09 PM, Lewis Shobbrook < > [email protected]> wrote: > > Just out of interest, how would one go about assigning permissions to a > pod to be able to perform the ConfigMap lookup ? > I've not found much by way of documentation so far. > > Cheers > > On 30 June 2016 at 08:25, Lewis Shobbrook < > [email protected]> wrote: > >> Thanks for the quick response. >> >> We were attempting a lookup, but will pursuit the mount option. >> >> Cheers >> >> >> On 30 June 2016 at 01:11, Luke Meyer <[email protected]> wrote: >> >>> former, latter... they're just words right? yeah. >>> >>> On Wed, Jun 29, 2016 at 11:08 AM, Jordan Liggitt <[email protected]> >>> wrote: >>> >>>> Other way around... mounting a config map doesn't require the service >>>> account to have special permissions. Reading a configmap via an API call >>>> from within a pod does. >>>> >>>> On Wed, Jun 29, 2016 at 10:58 AM, Luke Meyer <[email protected]> wrote: >>>> >>>>> Are you trying to mount the configmap or read from it? The latter does >>>>> not require any extra role for the pod service account. >>>>> >>>>> On Wed, Jun 29, 2016 at 8:46 AM, Lewis Shobbrook < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Guys, >>>>>> Having some trouble with configmaps with our pods. >>>>>> >>>>>> In the pods logs we see the following... >>>>>> >>>>>> 2016-06-28 02:45:55.055 [INFO] [0000-main] >>>>>> [au.com.consealed.service.interfac.config.SpringConfig] >>>>>> ConfigMapConfigProperties: ppe >>>>>> 2016-06-28 02:46:46.046 [WARN] [0000-main] >>>>>> [io.fabric8.spring.cloud.kubernetes.config.ConfigMapPropertySource] >>>>>> Can't read configMap with name: [ppe] in namespace:[dev]. Ignoring >>>>>> io.fabric8.kubernetes.client.KubernetesClientException: Failure >>>>>> executing: GET at: >>>>>> https://kubernetes.default.svc/api/v1/namespaces/dev/configmaps/ppe. >>>>>> Message: Forbidden!Configured service account doesn't have access. >>>>>> Service >>>>>> account may have been revoked. >>>>>> >>>>>> From oc rsh ... >>>>>> >>>>>> sh-4.2$ curl -k -H "Authorization: oAuth XXX" >>>>>> https://kubernetes.default.svc/api/v1/namespaces/dev/configmap >>>>>> { >>>>>> "kind": "Status", >>>>>> "apiVersion": "v1", >>>>>> "metadata": {}, >>>>>> "status": "Failure", >>>>>> "message": "User \"system:anonymous\" cannot get configmaps in >>>>>> project \"dev\"", >>>>>> "reason": "Forbidden", >>>>>> "details": { >>>>>> "name": "ppe", >>>>>> "kind": "configmaps" >>>>>> }, >>>>>> "code": 403 >>>>>> } >>>>>> >>>>>> I'm pretty green with this, but what do I need to do to provide a pod >>>>>> within the the same namespace the correct access to the configmap? >>>>>> I can see secrets are mounted correctly within /run/secrets/ >>>>>> kubernetes.io/serviceaccount/ within the pod >>>>>> >>>>>> oc version >>>>>> oc v1.2.0-rc1 >>>>>> kubernetes v1.2.0-36-g4a3f9c5 >>>>>> >>>>>> Cheers >>>>>> >>>>>> Lew >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> [email protected] >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>> >> > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
