Kubernetes local observer job fails
Kubernetes local observer job fails as ClusterRole is not created by default.
Problem
The Kubernetes local observer job fails because of no access to the Kubernetes environment.
Example of an error message that gets
displayed:
User "system:serviceaccount:noi:noi-service-account" cannot list resource "nodes" in API group "" at the cluster scope
Cause
Role permission is granted by Cluster admin and cannot be set by the operator. For more role or permissions, see Configuring Kubernetes Observer jobs.
Resolution
The following are the steps to resolve the failure of Kubernetes local observer:
- As a cluster admin, create the ClusterRole and bind it to the
noi-service-account
. - Set your namespace by using the following
command:
export NAMESPACE=ibmnetcool
- Create the ClusterRole.
cat <<EOF | oc apply -f - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: annotations: name: asm:kubernetes-observer rules: - apiGroups: - '' resources: - nodes - services - namespaces - pods - endpoints - persistentvolumeclaims - persistentvolumes verbs: - list - get - apiGroups: - apps resources: - deployments - replicasets - statefulsets - daemonsets verbs: - list - get EOF
- Create the binding by using the following
command:
oc create clusterrolebinding ${NAMESPACE:-netcool}-kubernetes-observer --clusterrole=asm:kubernetes-observer --serviceaccount=${NAMESPACE:-netcool}:noi-service-account