8000 [Feature] Better error message when raw requests are denied for permissions reasons. · Issue #12206 · kyverno/kyverno · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Feature] Better error message when raw requests are denied for permissions reasons. #12206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
eitah opened this issue Feb 19, 2025 · 2 comments
Open
2 tasks done

[Feature] Better error message when raw requests are denied for permissions reasons. #12206

eitah opened this issue Feb 19, 2025 · 2 comments
Labels
API Call Use case for API Server calls to fetch JSON data Contribfest Good first issues for KubeCon EU 2024 enhancement New feature or request triage Default label assigned to all new issues indicating label curation is needed to fully organize.

Comments

@eitah
Copy link
eitah commented Feb 19, 2025

Problem Statement

We tried to add an external data source call to the kubernetes api but faced the below ambiguous error from the kyverno api

no-gce-persistent-disks: |-
    failed to evaluate preconditions: failed to substitute variables in condition key: failed to resolve storage at path : failed to fetch data for APICall: failed to GET resource with raw url
    : /apis/storage.k8s.io/v1/csistoragecapacities: unknown

The real error when we turned on verbosity 9 was that we were missing RBAC for the API call we were trying to make:

kyverno-admission-controller-946f77dd8-nkkz8 kyverno {"level":"-7","v":8,"logger":"klog","time":"2025-02-19T15:37:18Z","message":"Response Body: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"[volumeattachments.storage.k8s.io](http://volumeattachments.storage.k8s.io/) is forbidden: User \\\"system:serviceaccount:kyverno:kyverno-admission-controller\\\" cannot list resource \\\"volumeattachments\\\" in API group \\\"[storage.k8s.io](http://storage.k8s.io/)\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"[storage.k8s.io](http://storage.k8s.io/)\",\"kind\":\"volumeattachments\"},\"code\":403}"}

Solution Description

Instead of burying the real error at verbosity 8 the Kyverno client should react to code "403" errors and excalate up "forbidden" to the caller.

Alternatives

No response

Additional Context

I realize y'all don't control the K8s client necessarily, so such a request might be not feasible.

Slack discussion

No response

Research

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@eitah eitah added enhancement New feature or request triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Feb 19, 2025
@dosubot dosubot bot added the API Call Use case for API Server calls to fetch JSON data label Feb 19, 2025
@MariamFahmy98 MariamFahmy98 added the Contribfest Good first issues for KubeCon EU 2024 label Apr 1, 2025
@soma-kurisu
Copy link

@eitah, @MariamFahmy98 I'll take a look into it.

@chetak123
Copy link
Contributor

hey @soma-kurisu are you still working on the issue ?
If not I would really like to take this up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Call Use case for API Server calls to fetch JSON data Contribfest Good first issues for KubeCon EU 2024 enhancement New feature or request triage Default label assigned to all new issues indicating label curation is needed to fully organize.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eitah @chetak123 @MariamFahmy98 @soma-kurisu
0