Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Pavel Tatarskiy
    @vintikzzz
    Got "ETCD storage quota exceeded" today
    Hi
    Unable to start any new pod (
    now try to update to new minor version 1.12
    maybe this helps
    Pavel Tatarskiy
    @vintikzzz

    now try to update to new minor version 1.12

    it was bad idea, cluster stuck on update

    Pavels-iMac:frontend vintikzzzz$ kubectl version
    Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-20T04:49:16Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"darwin/amd64"}
    Unable to connect to the server: EOF
    Thomas Coudert
    @thcdrt
    Hi Pavel, can you send me your cluster id in private please ?
    Pavel Tatarskiy
    @vintikzzz
    @thcdrt sure!
    Patrick FILIPE
    @alca_f_twitter
    Hello,
    I've a question related to volumeMounts timing:
    I would like to persist some tunable configurations files useful for my container starts. Those files are in the container image with default values and I would like point toward to persisted files and to make the container run with those persisted files.
    I've try with volumeMounts object in the container definition but with this, the container never starts as no files are yet persisted when the container start for the first time… It would be nice if the volumeMounts is pointed after the container starts and followed by a restart of the container to read the persisted files.
    ==> How can I resolve this starting problem ?
    Thanks for your support.
    Ghost
    @ghost~5bc6039cd73408ce4faba551
    You can run your pod with an init-container. Mount the volume on another folder. And do a copy. (https://kubernetes.io/docs/concepts/workloads/pods/init-containers/).
    Or you can do the same manually only the first time.
    Michał Frąckiewicz
    @SystemZ

    Hi, anyone installed ArgoCD on OVH k8s?
    I'm getting something like this when syncing using default install:

    ComparisonError: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-application-controller" cannot list appprojects.argoproj.io at the cluster scope;ComparisonError: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-application-controller" cannot list appprojects.argoproj.io at the cluster scope

    Not sure if my fault, bug in argo or it's this offer related.
    This issue is similar: argoproj/argo-cd#2176

    Christian
    @zeeZ
    @SystemZ it's just missing permissions, so whatever default install you did didn't come with the right rbac
    Michał Frąckiewicz
    @SystemZ
    ok, thanks for info, I will need additional or modified ClusterRoleBinding, right ?
    Christian
    @zeeZ
    I'm looking at the v1.2.0 non-ha release on github, looks like there is a argocd-application-controller clusterrole and CRB that should contain anything
    I've seen this two files, I think I need to modify it, no idea how :(
    Christian
    @zeeZ
    Michał Frąckiewicz
    @SystemZ
    I already have that, however those scary wildcard permissions didn't work
    Christian
    @zeeZ
    good :D normally that's a paddling
    you want apiGroups argoproj.io, resources appprojects and verbs list, and then repeat for everything else it'll complain about
    Michał Frąckiewicz
    @SystemZ
    oh, so wildcard is denying access ?
    I just need to whitelist what it's using ?
    Christian
    @zeeZ
    no, wildcard is anything, so that file gives permission to pretty much everything
    Michał Frąckiewicz
    @SystemZ
    ok so if it have access to everything and it's like chmod 777, why it's still complaining :P
    Christian
    @zeeZ
    well the ServiceAccount seems to be there since it's being used, it's either the ClusterRoleBinding or the ClusterRole that's missing (or missing that specific permission)
    Michał Frąckiewicz
    @SystemZ
    ok so I'm adding those groups, it changes errors, hope I will finish typing them today :D
    Christian
    @zeeZ
    I wonder if there's a code analysis tool that can try to extract all required permissions from standard API usage in go source, but that's probably a bit complicated
    Michał Frąckiewicz
    @SystemZ
    is there a reason that * won't just work ?

    ehh, it's not working, items at this list doesn't stop errors, they appear again, it's just illusion that they are gone, it's in random order

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      labels:
        app.kubernetes.io/name: argocd-application-controller
        app.kubernetes.io/part-of: argocd
        app.kubernetes.io/component: application-controller
      name: argocd-application-controller
    rules:
    - apiGroups:
      - "bgpconfigurations.crd.projectcalico.org"
      - "appprojects.argoproj.io"
      - "applications.argoproj.io"
      - "ippools.crd.projectcalico.org"
      - "storageclasses.storage.k8s.io"
      - "persistentvolumeclaims"
      - "mutatingwebhookconfigurations.admissionregistration.k8s.io"
      - "certificatesigningrequests.certificates.k8s.io"
      - "statefulsets.apps"
      - "deployments.extensions"
      - "priorityclasses.scheduling.k8s.io"
      - "podsecuritypolicies.policy"
      - "namespaces"
      - "replicasets.extensions"
      - "felixconfigurations.crd.projectcalico.org"
      - "controllerrevisions.apps"
      resources:
      - '*'
      verbs:
      - '*'
    - nonResourceURLs:
      - '*'
      verbs:
      - '*'

    I think I'm doing something very wrong and I don't even know it

    Christian
    @zeeZ
    appprojects is a resource in the group argoproj.io
    Michał Frąckiewicz
    @SystemZ
    oh
    Christian
    @zeeZ
    move before dot into resources and everything after as apigroups and hope for the best, or if you want to do it "properly" you'd do one rules entry per api group
    Christian
    @zeeZ
    why those wildcards are not working I don't know, maybe someone more knowledgeable would
    Michał Frąckiewicz
    @SystemZ
    still no dice, listing it like this doesn't help either :/
    rules:
      - apiGroups:
          - ""
        resources:
          - namespaces
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - persistentvolumeclaims
        verbs:
          - get
      - apiGroups:
          - apps
        resources:
          - statefulsets
        verbs:
          - list
      - apiGroups:
          - argoproj.io
        resources:
          - appprojects
        verbs:
          - list
    i hoped that k8s can save me time, not something like this
    Christian
    @zeeZ
    If that's not working at all and the bindings are correct then I dunno, did you edit and forgot to apply again?
    Michał Frąckiewicz
    @SystemZ
    I'm applying, dirs, filenames, double checked
    maybe there is some other project that would help be apply changes made in git ?
    or I just should use standard CI gitlabci/jenkins and drop this idea entirely?

    last chance, I see in docs
    https://argoproj.github.io/argo-cd/getting_started/

    On GKE, you will need grant your account the ability to create new cluster roles:
    kubectl create clusterrolebinding YOURNAME-cluster-admin-binding --clusterrole=cluster-admin --user=YOUREMAIL@gmail.com

    maybe something similar is needed for OVH too ?

    Amine
    @A-Hilaly
    If a GitOps operator is what you're looking for you can take a look at "flux"
    weaveworks got some great tools arround GitOps also
    Michał Frąckiewicz
    @SystemZ
    I'll look into it but I'm wondering if that same issue applies to this project too :/
    @zeeZ had some long yamls for that
    Christian
    @zeeZ
    To an extent, yes. When I created that they had full access rbac rules as well
    It is weird that your rules don't work though
    Michał Frąckiewicz
    @SystemZ
    yea, it's strange, I'm already discussing this on argo Slack