How to fix an issue with the service account not able to access ingresses?

Article ID:360053034731
1 minute readKnowledge base

Issue

I encounter a failure when trying to deploy a new Managed Controller or update it. The error message reads:

Error Failure executing: POST at: https://10.0.0.1/apis/networking.k8s.io/v1beta1/namespaces/my-namespace/ingresses. Message: Forbidden!Configured service account doesn’t have access. Service account may have been revoked. ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:default:cjoc" cannot create resource "ingresses" in API group "networking.k8s.io" in the namespace "my-namespace".

Resolution

In some cases, there is a bug in the helm chart in versions lower than 2.249.3.1 in the definition of the cjoc-master-management role. To fix the issue, you should update to version at least 2.249.3.3 to pick the fix in the chart. We recommend that you skip version 2.249.3.1 and 2.249.3.2 and directly pick 2.249.3.3.

Workaround

In case the update is not a short term solution, you need to modify the cjoc-master-management. Edit the role, locate the definition for the ingress resource and modify it so that it looks like:

- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.