Bug 1224636 - [origin_infrastructure_265] Caught 'Insufficient Permission' error mounting gcePersistentDisk
Summary: [origin_infrastructure_265] Caught 'Insufficient Permission' error mounting g...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OKD
Classification: Red Hat
Component: Storage
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Mark Turansky
QA Contact: Liang Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-25 08:34 UTC by Jianwei Hou
Modified: 2015-05-26 10:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-26 10:12:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jianwei Hou 2015-05-25 08:34:12 UTC 
Description of problem:
'Insufficient Permission' error is caught from events when a pod mounts gce persistent disk

Version-Release number of selected component (if applicable):
Client Version: version.Info{Major:"0", Minor:"17+", GitVersion:"v0.17.1-738-gcf7b0bdc2a41d3", GitCommit:"cf7b0bdc2a41d38613ac7f8eeea91cae23553fa2", GitTreeState:"clean"}
Server Version: version.Info{Major:"0", Minor:"17+", GitVersion:"v0.17.1-738-gcf7b0bdc2a41d3", GitCommit:"cf7b0bdc2a41d38613ac7f8eeea91cae23553fa2", GitTreeState:"clean"}


How reproducible:
Always

Steps to Reproduce:
1. Launch a CentOS 7.1 instance GCE, start Kubernetes on the instance
2. Create a GCE PD: gcloud compute disks create --size=10GB --zone=us-central1-a gcepd
3. Create a pv
cluster/kubectl.sh create -f pv.yaml

```

kind: PersistentVolume
apiVersion: v1beta3
metadata:
  name: gce
  labels:
    type: gcepd
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  gcePersistentDisk:
    pdName: "gcepd"
    fsType: "ext4"

4. Create a pvc
cluster/kubectl.sh create -f claim.yaml
```

kind: PersistentVolumeClaim
apiVersion: v1beta3
metadata:
  name: myclaim-1
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
```

5. Create a pod that mounts the pv
cluster/kubectl.sh create -f pod.yaml
```
kind: Pod
apiVersion: v1beta3
metadata:
  name: mypod
  labels:
    name: frontendhttp
spec:
  containers:
    - name: myfrontend
      image: nginx
      ports:
        - containerPort: 80
          name: "http-server"
      volumeMounts:
      - mountPath: "/usr/share/nginx/html"
        name: gcepd
  volumes:
    - name: gcepd
      persistentVolumeClaim:
       claimName: myclaim-1
```

Actual results:
After step 2:
$ gcloud compute disks list
NAME                   ZONE          SIZE_GB TYPE        STATUS
gcepd                  us-central1-a 10      pd-standard READY

After step 3 and 4: the pv and pvc are created successfully
[hjw@10 kubernetes]$ cluster/kubectl.sh get pv
NAME      LABELS       CAPACITY      ACCESSMODES   STATUS    CLAIM
gce       type=gcepd   10737418240   RWO           Bound     default/myclaim-1
[hjw@10 kubernetes]$ cluster/kubectl.sh get pvc
NAME        LABELS    STATUS    VOLUME
myclaim-1   map[]     Bound     gce

After step 5: Pod is pending, the events suggest an error of insufficient permission
Mon, 25 May 2015 08:02:36 +0000   Mon, 25 May 2015 08:02:36 +0000   1         mypod       Pod                   scheduled     {scheduler }          Successfully assigned mypod to 127.0.0.1
Mon, 25 May 2015 08:02:36 +0000   Mon, 25 May 2015 08:14:57 +0000   75        mypod       Pod                   failedMount   {kubelet 127.0.0.1}   Unable to mount volumes for pod "mypod_default": googleapi: Error 403: Insufficient Permission, insufficientPermissions
Mon, 25 May 2015 08:02:36 +0000   Mon, 25 May 2015 08:14:57 +0000   75        mypod       Pod                   failedSync    {kubelet 127.0.0.1}   Error syncing pod, skipping: googleapi: Error 403: Insufficient Permission, insufficientPermissions

Expected results:
The pod should be running, there is no such error in the events.

Additional info:
Comment 1 Jianwei Hou 2015-05-26 10:12:01 UTC 
Sorry, after investigation, it was format of pod.yaml that made this operation unsuccessful.
The correct format for a volume should be:
-----
  volumes:
    - name: mypd
      source:
        persistentVolumeClaim:
          accessMode: ReadWriteOnce
          claimRef:
            name: myclaim-1

-----
Note You need to log in before you can comment on or make changes to this bug.