[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: error querying AWS EBS volume from 'oc create'



What recourse do I have? Run an earlier version of Openshift Origin with which users were able to create persistent volumes with AWS EBS volumes. Try S3?

 

My top-level goal here is to assign persistent storage to Openshift’s Docker registry. What’s the simplest way to do that works for Openshift Origin v1.5.0 all-in-one?

 

Thanks again for your prompt responses.

 

               -David

 

From: Jordan Liggitt [mailto:jliggitt redhat com]
Sent: Friday, March 24, 2017 2:53 PM
To: Vyacheslav Semushin <vsemushi redhat com>
Cc: David VOGEL <David Vogel raytheon com>; users lists openshift redhat com
Subject: Re: error querying AWS EBS volume from 'oc create'

 

I'm assuming that request was made as the cluster admin using the certificate credentials. The 403 is not coming from the API server's authorization (or it would indicate which user was rejected), it is coming from something the API server is doing internally.

Looks like here: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/persistentvolume/label/admission.go#L86


 

On Fri, Mar 24, 2017 at 2:42 PM, Vyacheslav Semushin <vsemushi redhat com> wrote:

Hello,

you have to provide a token. Without it, you're requesting as an anonymous user:
"If no access token or certificate is presented, the authentication layer assigns the system:anonymous virtual user and the system:unauthenticated virtual group to the request. "

 

2017-03-24 19:19 GMT+01:00 David VOGEL <David Vogel raytheon com>:

I’m unable to create a persistent volume because the API fails (403) trying to list the AWS EBS volumes attached to my EC2 host.

 

I’ve installed Openshift Origin 1.5.0 on an EC2 host that has an attached EBS volume. I’m running an all-in-one instance.

 

In the oc cli logged in in as system:admin

 

I can query the top-level of the restful apis with curl, so CURL_CA_BUNDLE is set correctly:

 

            curl -k -v -XGET -H “Accept: application/json, */*" -H “User-Agent: oc/v1.5.0 openshift/cf6a722” https://<ip>:8443/oapi/v1

and https://<ip>:8443/api/v1

 

But I fail when trying to list resources e.g.: http://<ip>:8443/api/v1/persistentvolumes  or policybindings

 

When I try to create a persistent volume with ‘oc create -f aws-pv.yaml’  the failure occurs in Kubernetes code trying to retrieve EBS volumes using an AWS SDK call to a function named like describe-volumes.

 

I successfully list AWS EBS volumes on my EC2 host using the AWS cli:  aws ec2 describe-volumes

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set. 

 

Here’s the relevant section of the log generate by my ‘oc create’ call:

 

I0324 08:23:17.827082   17537 round_trippers.go:299] curl -k -v -XPOST  -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: oc/v1.4.0+776c994 (linux/amd64) kubernetes/a9e9cf3" https://10.3.1.55:8443/api/v1/persistentvolumes 

I0324 08:23:17.865710   17537 round_trippers.go:318] POST https://10.3.1.55:8443/api/v1/persistentvolumes 403 Forbidden in 38 milliseconds 

I0324 08:23:17.865728   17537 round_trippers.go:324] Response Headers: 

I0324 08:23:17.865738   17537 round_trippers.go:327]     Date: Fri, 24 Mar 2017 15:23:17 GMT 

I0324 08:23:17.865745   17537 round_trippers.go:327]     Content-Length: 435 

I0324 08:23:17.865750   17537 round_trippers.go:327]     Cache-Control: no-store 

I0324 08:23:17.865754   17537 round_trippers.go:327]     Content-Type: application/json 

I0324 08:23:17.865805   17537 request.go:908] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"persistentvolumes \"pv0001\" is forbidden: error querying AWS EBS volume vol-05dffe55de3ac725db: error querying ec2 for volume info: error listing AWS volumes: UnauthorizedOperation: You are not authorized to perform this operation.\n\tstatus code: 403, request id:","reason":"Forbidden","details":{"name":"pv0001","kind":"persistentvolumes"},"code":403} 

I0324 08:23:17.866030   17537 helpers.go:199] server response object: [{ 

  "kind": "Status", 

  "apiVersion": "v1", 

  "metadata": {}, 

  "status": "Failure", 

  "message": "error when creating \"aws-persistent-volume.yaml\": persistentvolumes \"pv0001\" is forbidden: error querying AWS EBS volume vol-05dffe55de3ac725db: error querying ec2 for volume info: error listing AWS volumes: UnauthorizedOperation: You are not authorize\d to perform this operation.\n\tstatus code: 403, request id: ", 

  "reason": "Forbidden", 

  "details": { 

    "name": "pv0001", 

    "kind": "persistentvolumes" 

  }, 

  "code": 403 

}] 

 

               Thanks in advance,

               David Vogel

 

 

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--

Slava Semushin | OpenShift


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]