Dmitry Meyerson
07/26/2023, 5:20 PMDmitry Meyerson
07/26/2023, 5:27 PMhelm upgrade --install cerbos cerbos/cerbos --namespace cerbos-dev --version=0.29.0 --values=./cerbos_config.yaml --kubeconfig /tmp/kube_config.yaml
shell: sh -e {0}
"cerbos" has been added to your repositories
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "cerbos" chart repository
Update Complete. ⎈Happy Helming!⎈
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kube_config.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kube_config.yaml
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kube_config.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kube_config.yaml
Release "cerbos" does not exist. Installing it now.
NAME: cerbos
LAST DEPLOYED: Wed Jul 26 17:23:13 2023
NAMESPACE: cerbos-dev
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully deployed Cerbos.
Dmitry Meyerson
07/26/2023, 5:30 PMDmitry Meyerson
07/26/2023, 5:49 PMdmeyerson@C02G73VMMD6P cerbos-ABAC % helm status cerbos -n cerbos-dev
NAME: cerbos
LAST DEPLOYED: Wed Jul 26 17:23:13 2023
NAMESPACE: cerbos-dev
STATUS: pending-install
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully deployed Cerbos.
Dmitry Meyerson
07/26/2023, 6:06 PM50s Warning Unhealthy pod/cerbos-996bd55cb-dtbws Readiness probe failed: Get "<http://10.32.5.123:3592/_cerbos/health>": dial tcp 10.32.5.123:3592: connect: connection refused
Charith (Cerbos)
kubectl get deploy cerbos -n cerbos-dev
Charith (Cerbos)
pending-install
is a known issue with Helm. You can try doing a helm rollback
and rolling back to the previous release to "reset" the state or just simply uninstall and reinstall the chart.Dmitry Meyerson
07/27/2023, 4:22 PMDmitry Meyerson
07/27/2023, 4:23 PMDmitry Meyerson
07/27/2023, 4:27 PM6m8s Warning Unhealthy pod/cerbos-5859d99ff8-8r9t8 Readiness probe failed: Get "<http://10.32.5.129:3592/_cerbos/health>": dial tcp 10.32.5.129:3592: connect: connection refused
Charith (Cerbos)
Dmitry Meyerson
07/27/2023, 4:57 PMdmeyerson@my_laptop cerbos-ABAC % curl <http://localhost:3592/_cerbos/health>
{"status":"SERVING"}
Dmitry Meyerson
07/27/2023, 5:01 PM% kubectl logs cerbos-5859d99ff8-8r9t8 -n cerbos-dev
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.242Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.243Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.244Z","log.logger":"cerbos.git.store","message":"Cloning git repo from <https://git.viasat.com/OPS-ML-Engineering/cerbos-ABAC.git>","dir":"/work"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.581Z","log.logger":"cerbos.git.store","message":"Opening git repo","dir":"/work"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.592Z","log.logger":"cerbos.index","message":"Found 2 executable policies"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.593Z","log.logger":"cerbos.telemetry","message":"Telemetry disabled"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.593Z","log.logger":"cerbos.git.store","message":"Polling for updates every 1m0s","dir":"/work"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.595Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}
{"log.level":"info","@timestamp":"2023-07-27T16:09:20.598Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}
Charith (Cerbos)
kubectl get deploy cerbos -n cerbos-dev
?Dmitry Meyerson
07/27/2023, 5:31 PMCharith (Cerbos)
Dmitry Meyerson
07/27/2023, 5:59 PMDmitry Meyerson
07/27/2023, 6:14 PMDmitry Meyerson
07/27/2023, 6:19 PM'STATUS: deployed'
in reality on the server side it may yet get stuck
• permissions and service accounts: one needs to run helm .. .
with an account having sufficient permission, because I using some automation w/ service account creds rather than just running helm
myself helm get stuck (silenty) in pending-install
because of insufficient set of verbs+resources associated w/ the account running the helm command, rather than raise an error complaining that ~ “service account X doesn’t get to perform Y on resource Z”Dmitry Meyerson
07/27/2023, 6:19 PMDmitry Meyerson
07/27/2023, 6:20 PM