This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1? #5298

shawkins · 2023-07-01T02:25:48Z

          This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1?

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:238)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:546)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:424)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:392)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:93)
	at be.fgov.kszbcss.batch.client.OpenShiftJobClient.listJobTemplates(OpenShiftJobClient.java:61)
	at be.fgov.kszbcss.batch.cli.ListJobCommand.call(ListJobCommand.java:11)
	at be.fgov.kszbcss.batch.cli.ListJobCommand.main(ListJobCommand.java:27)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:701)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:681)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:630)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:591)
	at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.http.StandardHttpClient.lambda$completeOrCancel$5(StandardHttpClient.java:120)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.http.ByteArrayBodyHandler.onBodyDone(ByteArrayBodyHandler.java:52)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.okhttp.OkHttpClientImpl$OkHttpAsyncBody.doConsume(OkHttpClientImpl.java:135)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)

Originally posted by @jpraet in #4970 (comment)

The text was updated successfully, but these errors were encountered:

shawkins · 2023-07-01T02:30:29Z

Moved to a separate issue. Is this effectively a bug with openshift that fabric8 was compenstating for but other clients such as kubectl or oc are not? My understanding with 403 is that re-authentication won't make any difference. Or is there something else going on here?

jpraet · 2023-07-01T08:11:09Z

Looks like the 403 handling has been there from the start: a926786

I am authenticating with username and password. From what I see in the exception stacktrace
User "system:anonymous" cannot list templates.template.openshift.io in the namespace
it seems to be calling the API first without authenticating? Resulting in 403 for anonymous access?

shawkins · 2023-07-01T13:46:43Z

Looks like the 403 handling has been there from the start: a926786

Yes and we could not figure out why that handling was there.

I am authenticating with username and password. From what I see in the exception stacktrace User "system:anonymous" cannot list templates.template.openshift.io in the namespace it seems to be calling the API first without authenticating? Resulting in 403 for anonymous access?

Ah that is the issue, the auth interceptor is allowing the initial request to go through - even if the token does not yet exist. If the token isn't set, it should authenticate first - that will require a code change. Right now it will trigger a refresh and requests will fail until that completes - do you see that later reqeusts are successful?

### What changes were proposed in this pull request? The pr aims to upgrade kubernetes-client from 6.7.2 to 6.8.0. ### Why are the changes needed? - The newest version brings some bug fixed & improvment, eg: Fix fabric8io/kubernetes-client#5221: Empty kube config file causes NPE Fix fabric8io/kubernetes-client#5281: Ensure the KubernetesCrudDispatcher's backing map is accessed w/lock Fix fabric8io/kubernetes-client#5298: Prevent requests needing authentication from causing a 403 response Fix fabric8io/kubernetes-client#5233: Generalized SchemaSwap to allow for cycle expansion Fix fabric8io/kubernetes-client#5262: all built-in collections will omit empty in their serialized form. - The full release notes: https://github.com/fabric8io/kubernetes-client/releases/ ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA. Closes #42142 from panbingkun/SPARK-44537. Authored-by: panbingkun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>

### What changes were proposed in this pull request? The pr aims to upgrade kubernetes-client from 6.7.2 to 6.8.0. ### Why are the changes needed? - The newest version brings some bug fixed & improvment, eg: Fix fabric8io/kubernetes-client#5221: Empty kube config file causes NPE Fix fabric8io/kubernetes-client#5281: Ensure the KubernetesCrudDispatcher's backing map is accessed w/lock Fix fabric8io/kubernetes-client#5298: Prevent requests needing authentication from causing a 403 response Fix fabric8io/kubernetes-client#5233: Generalized SchemaSwap to allow for cycle expansion Fix fabric8io/kubernetes-client#5262: all built-in collections will omit empty in their serialized form. - The full release notes: https://github.com/fabric8io/kubernetes-client/releases/ ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA. Closes apache#42142 from panbingkun/SPARK-44537. Authored-by: panbingkun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>

shawkins mentioned this issue Jul 1, 2023

Not able to upload file to pod using fabric8 upload API #5188

Closed

manusa added the Waiting on feedback Issues that require feedback from User/Other community members label Jul 3, 2023

shawkins added a commit to shawkins/kubernetes-client that referenced this issue Jul 5, 2023

fix fabric8io#5298: using an invalid token to trigger refresh

6df9e78

shawkins self-assigned this Jul 5, 2023

manusa closed this as completed in 2840d59 Jul 14, 2023

manusa added this to the 6.8.0 milestone Jul 14, 2023

panbingkun mentioned this issue Jul 25, 2023

[SPARK-44537][BUILD] Upgrade kubernetes-client to 6.8.0 apache/spark#42142

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1? #5298

This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1? #5298

shawkins commented Jul 1, 2023

shawkins commented Jul 1, 2023

jpraet commented Jul 1, 2023

shawkins commented Jul 1, 2023

This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1? #5298

This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1? #5298

Comments

shawkins commented Jul 1, 2023

shawkins commented Jul 1, 2023

jpraet commented Jul 1, 2023

shawkins commented Jul 1, 2023