https://rancher.com/ logo
Title
p

powerful-florist-21503

06/08/2022, 4:03 PM
Hello! I have encountered a problem, where git clone is successfull (*s*tep-git-source container is ran successfully) but the next “fleet” container fails:
time="2022-06-08T15:43:31Z" level=fatal msg="open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied"
This is the first time fleet is configured to sync these new downstream k3s clusters. Any ideas whats causing this? Rancher v2.6.3 running in EKS.
EKS kubernetes version 1.21
g

great-bear-19718

06/09/2022, 6:46 AM
are you running standalone fleet or rancher on the EKS cluster?
tbh.. i have managed eks clusters with rancher and have not seen this error but cant be sure
p

powerful-florist-21503

06/09/2022, 7:06 AM
Rancher on EKS 1.21
Hmmh, managed to workaround this by running the fleet pod as a root: securityContext: runAsUser: 0
g

great-bear-19718

06/09/2022, 7:24 AM
are you please also able to log a GH issue so we can track the same as well
p

powerful-florist-21503

06/09/2022, 7:25 AM
But still, workaround is a hack, I edited existing pod yaml and applied modified with kubectl. I was also unable to modify the Job, it could not be edited. To me this definately feels like a bug in Rancher Fleet working in EKS.
g

great-bear-19718

06/09/2022, 7:25 AM
well i cant say until we have had a look
need to check what EKS is doing differently because from k8s version perspective 1.21 is supported
p

powerful-florist-21503

06/09/2022, 7:27 AM
Will make an issue to GH when I have some time, busy day today.
Something related to service accounts is changed in EKS with 1.21 https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.21
@great-bear-19718 Issue created to GH https://github.com/rancher/fleet/issues/790
👍 1