Posted this on the kubernetes.core Github project, but not getting traction, so I thought I’d cross-post and see if anyone here has pointers.
SUMMARY
When I attempt to run helm_info (haven’t tried helm yet because I want to confirm a non-modifying operation before I risk breaking something) in an Ansible Execution Environment on AWX, it seems to try to connect to the cluster that AWX is running on, rather than the target cluster, so it fails.
ansible-core==2.18.14
kubernetes.core collection 6.3.0
Also tested 5.4.2, 3.3.1, 2.4.2, with same results
OS / ENVIRONMENT
Ansible AWX running in GKE 1.33.5-gke.2392000. Target cluster is a different cluster, also running GKE 1.33.
STEPS TO REPRODUCE
- Set up Credential that has Google Cloud service account JSON exported to GOOGLE_APPLICATION_CREDENTIALS and kubeconfig exported to K8S_AUTH_KUBECONFIG
- Playbook with task like this:
- name: Gather information of ingress-nginx chart
kubernetes.core.helm_info:
name: ingress-nginx
release_namespace: ingress-nginx
register: helm_output
EXPECTED RESULTS
Details of ingress-nginx configuration, e.g. DaemonSet, externalTrafficPolicy, etc.
NOTE: this actually does work when running ansible-playbook on a separate VM, outside AWX/execution environments.
ACTUAL RESULTS
{
"stdout": "",
"stderr": "Error: list: failed to list: secrets is forbidden: User \"serviceAccount:devops-nonprod.svc.id.goog[awx/default]\" cannot list resource \"secrets\" in API group \"\" in the namespace \"ingress-nginx\": requires one of [\"container.secrets.list\"] permission(s).\n",
"command": "/usr/bin/helm list --output=yaml --filter ingress-nginx",
"msg": "Failure when executing Helm command. Exited 1.\nstdout: \nstderr: Error: list: failed to list: secrets is forbidden: User \"serviceAccount:devops-nonprod.svc.id.goog[awx/default]\" cannot list resource \"secrets\" in API group \"\" in the namespace \"ingress-nginx\": requires one of [\"container.secrets.list\"] permission(s).\n",
"invocation": {
"module_args": {
"name": "ingress-nginx",
"release_namespace": "ingress-nginx",
"kubeconfig": "/runner/env/tmpc3dcwb99",
"release_name": "ingress-nginx",
"validate_certs": true,
"release_state": [],
"get_all_values": false,
"binary_path": null,
"context": null,
"host": null,
"ca_cert": null,
"api_key": null
}
},
"stdout_lines": [],
"stderr_lines": [
"Error: list: failed to list: secrets is forbidden: User \"serviceAccount:devops-nonprod.svc.id.goog[awx/default]\" cannot list resource \"secrets\" in API group \"\" in the namespace \"ingress-nginx\": requires one of [\"container.secrets.list\"] permission(s)."
],
"_ansible_no_log": false,
"changed": false
}
NOTE that devops-nonprod is the name of the project that AWX is running in, not the target cluster which I’m trying to administer. Also, awx/default is a ServiceAccount in the AWX cluster, not the one from the kubeconfig that I’ve provided
Also again note that all this seems to work OK when I install ansible-playbook standalone on a VM.
Also note that k8s_cluster_info seems to work fine in the Execution Environment; I only seem to have problems with helm modules. Maybe the helm modules are not supported for running on AWX/Tower/AAP/etc.?