Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[charts/gha-runner-scale-set-controller] Add missing RBAC permissions on events to the ClusterRole gha-runner-scale-set-controller-gha-rs-controller #3488

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[charts/gha-runner-scale-set-controller] Add missing RBAC permissions on events to the ClusterRole gha-runner-scale-set-controller-gha-rs-controller #3488

wants to merge 1 commit into from
+9 −0

Conversation

alpozcan
Copy link

@alpozcan alpozcan commented May 1, 2024

With a clean deployment of oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller, version 0.9.1, the following error is observed in the logs:

$ kubectl -n gha-runners logs gha-runner-scale-set-controller-gha-rs-controller-69bb5cfbff2xg
I0501 02:16:19.002950       1 leaderelection.go:250] attempting to acquire leader lease gha-runners/gha-runner-scale-set-controller-gha-rs-controller...
I0501 02:16:35.768876       1 leaderelection.go:260] successfully acquired lease gha-runners/gha-runner-scale-set-controller-gha-rs-controller
E0501 02:16:35.779247       1 event.go:280] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"gha-runner-scale-set-controller-gha-rs-controller.17cb3bc3e99fa4f1", GenerateName:"", Namespace:"gha-runners", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"Lease", Namespace:"gha-runners", Name:"gha-runner-scale-set-controller-gha-rs-controller", UID:"0669289f-7a26-4956-9668-00fdc9fe4739", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"233694020", FieldPath:""}, Reason:"LeaderElection", Message:"gha-runner-scale-set-controller-gha-rs-controller-69bb5cfbff2xg_e47f6629-6767-4063-838e-a394157d727d became leader", Source:v1.EventSource{Component:"gha-runner-scale-set-controller-gha-rs-controller-69bb5cfbff2xg_e47f6629-6767-4063-838e-a394157d727d", Host:""}, FirstTimestamp:time.Date(2024, time.May, 1, 2, 16, 35, 768820977, time.Local), LastTimestamp:time.Date(2024, time.May, 1, 2, 16, 35, 768820977, time.Local), Count:1, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"gha-runner-scale-set-controller-gha-rs-controller-69bb5cfbff2xg_e47f6629-6767-4063-838e-a394157d727d", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:gha-runners:gha-runner-scale-set-controller-gha-rs-controller" cannot create resource "events" in API group "" in the namespace "gha-runners"' (will not retry!)

With the proposed change, and following a rollout restart deployment gha-runner-scale-set-controller-gha-rs-controller, the issue seems to be fixed:

$ kdt -n gha-runners logs gha-runner-scale-set-controller-gha-rs-controller-76f6bfd9jf8s8
I0501 02:26:44.044465       1 leaderelection.go:250] attempting to acquire leader lease gha-runners/gha-runner-scale-set-controller-gha-rs-controller...
I0501 02:27:02.298319       1 leaderelection.go:260] successfully acquired lease gha-runners/gha-runner-scale-set-controller-gha-rs-controller

Helm value overrides:

replicaCount: 3
flags.logLevel: "warn"

@alpozcan
Add missing RBAC permissions on events to the ClusterRole `gha-ru…
298ecd6 
…nner-scale-set-controller-gha-rs-controller`
@Ebaneck
Copy link

Ebaneck commented May 7, 2024

Hello @alpozcan

I seem to be having a similar error when watchSingleNamespace: "actions-runners" is set.
I am wondering if these changes should also be reflected in the single namespace role yaml too.

@alpozcan
Copy link
Author

alpozcan commented May 7, 2024

Hello @alpozcan

I seem to be having a similar error when watchSingleNamespace: "actions-runners" is set. I am wondering if these changes should also be reflected in the single namespace role yaml too.

Hi,
I think you should give it a try, and raise a similar PR if it fixes the issue for you. We can then make a mention between the two PRs to make them more visible.

@alpozcan
Copy link
Author

alpozcan commented May 8, 2024

Actually, even with watchSingleNamespace set, the same issue occurs - it's still the missing permission on the ClusterRole

@Ebaneck
Copy link

Ebaneck commented May 8, 2024
edited

Actually, even with watchSingleNamespace set, the same issue occurs - it's still the missing permission on the ClusterRole

You mean the Role right ?
Because the ClusterRole doesn't get created when watchSingleNamespace is set.

See line 1 of manager_cluster_role.yaml:

{{- if empty .Values.flags.watchSingleNamespace }}

We probably need to add the events thingy in the role here too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mumoshu mumoshu Awaiting requested review from mumoshu mumoshu is a code owner

@toast-gear toast-gear Awaiting requested review from toast-gear toast-gear is a code owner

@nikola-jokic nikola-jokic Awaiting requested review from nikola-jokic nikola-jokic is a code owner

@rentziass rentziass Awaiting requested review from rentziass rentziass is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alpozcan @Ebaneck