Portainer service account not found

[razvanphp]

App Name

Portainer

Operating System

TrueNAS SCALE 23.10.1

App Version

2.19.4

Application Events

History
Related Kubernetes Events
No events are available.

Application Logs

2024-01-13 10:46:52.998831+02:002024/01/13 08:46AM INF main.go:448 > encryption key file not present | filename=portainer
2024-01-13 10:46:52.998888+02:002024/01/13 08:46AM INF main.go:482 > proceeding without encryption key |
2024-01-13 10:46:52.998924+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/database/boltdb/db.go:125 > loading PortainerDB | filename=portainer.db
2024-01-13 10:46:53.092006+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/cloud/cluster_setup.go:94 > starting cloud cluster setup service |
2024-01-13 10:46:53.096681+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/chisel/service.go:198 > Found Chisel private key file on disk | private-key=/data/chisel/private-key.pem
2024-01-13 10:46:53.096804+02:002024/01/13 08:46:53 server: Reverse tunnelling enabled
2024-01-13 10:46:53.096841+02:002024/01/13 08:46:53 server: Fingerprint kIl/lvDSLcZvxlCWqSzBrONLmRmuF+uWrP7Nkj1tjmc=
2024-01-13 10:46:53.097228+02:002024/01/13 08:46:53 server: Listening on http://0.0.0.0:10401
2024-01-13 10:46:53.709191+02:002024/01/13 08:46AM INF main.go:797 > starting Portainer | build_number=35427 go_version=1.20.5 image_tag=linux-amd64-2.19.4 nodejs_version=18.19.0 version=2.19.4 webpack_version=5.88.1 yarn_version=1.22.21
2024-01-13 10:46:53.718614+02:002024/01/13 08:46AM INF github.com/portainer/portainer-ee/api/http/server.go:450 > starting HTTPS server | bind_address=:9443
2024-01-13 11:04:50.788285+02:002024/01/13 09:04:50 server: ignored client connection using protocol '', expected 'chisel-v3'
2024-01-13 11:22:12.375711+02:00{"time":1705137732,"message":"websocketproxy: Error when copying from backend to client: websocket: close 1006 (abnormal closure): unexpected EOF"}
2024-01-13 11:22:21.985017+02:00{"time":1705137741,"message":"websocketproxy: Error when copying from backend to client: websocket: close 1006 (abnormal closure): unexpected EOF"}

Application Configuration

Main Ingress

Enable Ingress

Integrations

Traefik

enabled

certManager

enabled (and working)

Describe the bug

Portainer has a built-in functionality for kubectl shell - in browser. This uses websockets to connect.

With the current app/chart version it does not work, it opens and then closes immediately.

I investigated and found out what the error is:

{"message":"Unable to find serviceaccount associated with user","details":"serviceaccounts \"portainer-sa-clusteradmin\" not found"}

It seems that the configuration of portainer expects this name as serviceaccount name, see also their agent chart installation and oficial chart configuration for serviceAccount.name.

Can we rename the serviceaccount of the chart to match with what portainer expects or make it configurable?

Thank you!
R

To Reproduce

Open portainer and click on local k8s cluster and then on >_ kubectl shell

Expected Behavior

Shell works and stays connected on screen.

Screenshots

Additional Context

I thought it's a problem with the websockets headers in traefik, but the same behaviour happens when accessing portainer through the pod app port, so it's unrelated.

I've read and agree with the following

• I've checked all open and closed issues and my issue is not there.

[stavros-k]

Even if we update the name of the SA it won't work at least on TN Scale

Portainer can only work correctly when it is deployed in the portainer namespace.
And on TN Scale all NS are prefixed with ix-.
portainer/portainer#5156 (comment)

Given that helm users can change the SA name, this is low prio.

[razvanphp]

Thank you for the quick answer. What if we could change the config of portainer to assume the SA with name ‘portainer’ instead? I just could’t find the option for this…

also, this name is in the common chart? Or can we add it just for portainer chart? I can try to make it work and send a PR if it’s welcome.

thank you!

[stavros-k]

Thank you for the quick answer. What if we could change the config of portainer to assume the SA with name ‘portainer’ instead? I just could’t find the option for this…

also, this name is in the common chart? Or can we add it just for portainer chart? I can try to make it work and send a PR if it’s welcome.

thank you!

As the linked comment above says, its all hardcoded currently.
Even if the name matches, it will still try to look in the wrong namespace.

The name is in the portainer chart. But with the current design of the naming generation on the common, it would need a "hack".

But backtracking a bit.
I just installed portainer to check things up.
The fact that it displays namespaces/configmaps/secrets etc, means that it can see and use the ServiceAccount
The RBAC is tied to the SA, so without the SA it wouldnt be able to see any of those.

That being said, portainer's examples seem to suggest to use the built-in cluster-admin role.
We don't use that but we use a fully open ClusterRole

charts/charts/stable/portainer/values.yaml

Lines 27 to 34 in 0686815

	clusterWide: true
	rules:
	- apiGroups:
	- "*"
	resources:
	- "*"
	verbs:
	- "*"

Which is tied to the service account.

So unless we miss some specific setting, I'm not sure what we should do. And I don't think start changing naming's around is a good idea, unless first the issue is pinpointed.

[razvanphp]

Ok, I can investigate first and see what change makes it work.

Looking in the source code of portainer, it seems indeed hardcoded, but then... why is it configurable in their helm chart?

https://github.com/portainer/portainer/blob/067a7d148f2a71796420e9a5026d8d876a3fb745/api/kubernetes/cli/naming.go#L9-L12
https://github.com/portainer/portainer/blob/develop/api/kubernetes/cli/service_account.go#L22

if they would allow those to be configurable via CLI, we could override them, right? What other options do we have?

[razvanphp]

As a workaround, I deployed this via fluxcd to my (k3s / TN Scale) cluster and everything works now, including the shell functionality, even tho portainer is deployed as Truecharts App.

apiVersion: v1
kind: Namespace
metadata:
  name: portainer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: portainer-sa-clusteradmin
  namespace: portainer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: portainer-crb-clusteradmin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: portainer-sa-clusteradmin
  namespace: portainer
---

[truecharts-admin]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

[truecharts-admin]

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.