Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kube Operator does now work for the create_host_user_mode option #31640

Closed
pschisa opened this issue Sep 8, 2023 · 1 comment
Closed

Kube Operator does now work for the create_host_user_mode option #31640

pschisa opened this issue Sep 8, 2023 · 1 comment
Labels
bug c-kk Internal Customer Reference kube-operator Issues related to Kube Operator

Comments

@pschisa
Copy link
Contributor

pschisa commented Sep 8, 2023

Expected behavior:
create_host_user_mode can be set to keep/drop/off as described in the role documentation with the Kube operator

    # Controls whether this role supports auto provisioning of SSH users.
    # Options: drop (remove user on session end), keep (keep users at session end)
    #          and off (disable host user creation)
    create_host_user_mode: drop

Current behavior:
Setting create_host_user_mode in a role definition for the kube operator fails saying the only accepted value is an integer

[root@ip-172-31-22-182 ~]# cat role.yaml
apiVersion: resources.teleport.dev/v5
kind: TeleportRole
metadata:
  name: myrole
spec:
  allow:
    rules:
      - resources: ['user', 'role']
        verbs: ['list','create','read','update','delete']
  options:
    create_host_user_mode: keep
[root@ip-172-31-22-182 ~]# kubectl apply -f role.yaml
The TeleportRole "myrole" is invalid: spec.options.create_host_user_mode: Invalid value: "string": spec.options.create_host_user_mode in body must be of type integer: "string"

This was only resolved when I did set that value to an integer. Trying the old true/false option also failed. As a workaround the role had to be manually updated via the Web UI.

Bug details:

  • Teleport version: 13.3.7
  • Recreation steps: Deploy the Teleport Cluster chart with the operator enabled and attempt to create a role with create_host_user_mode
  • Debug logs
[root@ip-172-31-22-182 ~]# kubectl apply -f role.yaml -v=9
I0908 14:26:58.108659 3566087 loader.go:373] Config loaded from file:  /root/.kube/config
I0908 14:26:58.109669 3566087 cert_rotation.go:137] Starting client certificate rotation controller
I0908 14:26:58.110155 3566087 round_trippers.go:466] curl -v -XGET  -H "Accept: application/[email protected]+protobuf" -H "User-Agent: kubectl/v1.26.1 (linux/amd64) kubernetes/8f94681" 'https://192.168.49.2:8443/openapi/v2?timeout=32s'
I0908 14:26:58.330648 3566087 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.49.2:8443 succeed
I0908 14:26:58.426118 3566087 round_trippers.go:553] GET https://192.168.49.2:8443/openapi/v2?timeout=32s 200 OK in 315 milliseconds
I0908 14:26:58.426179 3566087 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 80 ms ServerProcessing 14 ms Duration 315 ms
I0908 14:26:58.426191 3566087 round_trippers.go:577] Response Headers:
I0908 14:26:58.426202 3566087 round_trippers.go:580]     Accept-Ranges: bytes
I0908 14:26:58.426213 3566087 round_trippers.go:580]     Audit-Id: d0952354-25ef-4caa-8a12-54c5f70931b6
I0908 14:26:58.426223 3566087 round_trippers.go:580]     Date: Fri, 08 Sep 2023 14:26:58 GMT
I0908 14:26:58.426232 3566087 round_trippers.go:580]     X-From-Cache: 1
I0908 14:26:58.426241 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: e2b58b22-3630-4c5c-978d-e42e68ac62dd
I0908 14:26:58.426250 3566087 round_trippers.go:580]     Etag: "F10E36730897CD6902FB07139D8B6DB762B1328D50DAA03FB1037DE5076A3C8D5C423765E8FDD86C9D6314A7772151F4E92B63BE97DBC05010DEFB82A71BEE66"
I0908 14:26:58.426260 3566087 round_trippers.go:580]     X-Varied-Accept: application/[email protected]+protobuf
I0908 14:26:58.426287 3566087 round_trippers.go:580]     Cache-Control: no-cache, private
I0908 14:26:58.426299 3566087 round_trippers.go:580]     Vary: Accept-Encoding
I0908 14:26:58.426308 3566087 round_trippers.go:580]     Vary: Accept
I0908 14:26:58.426317 3566087 round_trippers.go:580]     Last-Modified: Thu, 31 Aug 2023 15:59:09 GMT
I0908 14:26:58.426327 3566087 round_trippers.go:580]     Content-Type: application/octet-stream
I0908 14:26:58.426336 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 5b99d38d-987f-45c5-a4fb-a8e0ffc2da4a
I0908 14:26:59.250434 3566087 request.go:1169] Response Body:
00000000  0a 03 32 2e 30 12 15 0a  0a 4b 75 62 65 72 6e 65  |..2.0....Kuberne|
00000010  74 65 73 12 07 76 31 2e  32 36 2e 31 42 fc a7 95  |tes..v1.26.1B...|
00000020  01 12 8c 02 0a 22 2f 2e  77 65 6c 6c 2d 6b 6e 6f  |....."/.well-kno|
00000030  77 6e 2f 6f 70 65 6e 69  64 2d 63 6f 6e 66 69 67  |wn/openid-config|
00000040  75 72 61 74 69 6f 6e 2f  12 e5 01 12 e2 01 0a 09  |uration/........|
00000050  57 65 6c 6c 4b 6e 6f 77  6e 1a 57 67 65 74 20 73  |WellKnown.Wget s|
00000060  65 72 76 69 63 65 20 61  63 63 6f 75 6e 74 20 69  |ervice account i|
00000070  73 73 75 65 72 20 4f 70  65 6e 49 44 20 63 6f 6e  |ssuer OpenID con|
00000080  66 69 67 75 72 61 74 69  6f 6e 2c 20 61 6c 73 6f  |figuration, also|
00000090  20 6b 6e 6f 77 6e 20 61  73 20 74 68 65 20 27 4f  | known as the 'O|
000000a0  49 44 43 20 64 69 73 63  6f 76 65 72 79 20 64 6f  |IDC discovery do|
000000b0  63 27 2a 2a 67 65 74 53  65 72 76 69 63 65 41 63  |c'**getServiceAc|
000000c0  63 6f 75 6e 74 49 73 73  75 65 72 4f 70 65 6e 49  |countIssuerOpenI|
000000d0  44 43 6f 6e 66 69 67 75  72 61 74 69 6f 6e 32 10  |DConfiguration2.|
000000e0  61 70 70 6c 69 63 61 74  69 6f 6e 2f 6a 73 6f 6e  |application/json|
000000f0  4a 37 0a 1c 0a 03 32 30  30 12 15 0a 13 0a 02 4f  |J7....200......O|
00000100  4b 12 0d 0a 0b b2 01 08  0a 06 73 74 72 69 6e 67  |K.........string|
00000110  0a 17 0a 03 34 30 31 12  10 0a 0e 0a 0c 55 6e 61  |....401......Una|
00000120  75 74 68 6f 72 69 7a 65  64 52 05 68 74 74 70 73  |uthorizedR.https|
00000130  12 ca 02 0a 05 2f 61 70  69 2f 12 c0 02 12 bd 02  |...../api/......|
00000140  0a 04 63 6f 72 65 1a 1a  67 65 74 20 61 76 61 69  |..core..get avai|
00000150  6c 61 62 6c 65 20 41 50  49 20 76 65 72 73 69 6f  |lable API versio|
00000160  6e 73 2a 12 67 65 74 43  6f 72 65 41 50 49 56 65  |ns*.getCoreAPIVe|
00000170  72 73 69 6f 6e 73 32 10  61 70 70 6c 69 63 61 74  |rsions2.applicat|
00000180  69 6f 6e 2f 6a 73 6f 6e  32 10 61 70 70 6c 69 63  |ion/json2.applic|
00000190  61 74 69 6f 6e 2f 79 61  6d 6c 32 23 61 70 70 6c  |ation/yaml2#appl|
000001a0  69 63 61 74 69 6f 6e 2f  76 6e 64 2e 6b 75 62 65  |ication/vnd.kube|
000001b0  72 6e 65 74 65 73 2e 70  72 6f 74 6f 62 75 66 3a  |rnetes.protobuf:|
000001c0  10 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 73 6f  |.application/jso|
000001d0  6e 3a 10 61 70 70 6c 69  63 61 74 69 6f 6e 2f 79  |n:.application/y|
000001e0  61 6d 6c 3a 23 61 70 70  6c 69 63 61 74 69 6f 6e  |aml:#application|
000001f0  2f 76 6e 64 2e 6b 75 62  65 72 6e 65 74 65 73 2e  |/vnd.kubernetes.|
00000200  70 72 6f 74 6f 62 75 66  4a 6c 0a 51 0a 03 32 30  |protobufJl.Q..20|
00000210  30 12 4a 0a 48 0a 02 4f  4b 12 42 0a 40 0a 3e 23  |0.J.H..OK.B.@.>#|
00000220  2f 64 65 66 69 6e 69 74  69 6f 6e 73 2f 69 6f 2e  |/definitions/io.|
00000230  6b 38 73 2e 61 70 69 6d  61 63 68 69 6e 65 72 79  |k8s.apimachinery|
00000240  2e 70 6b 67 2e 61 70 69  73 2e 6d 65 74 61 2e 76  |.pkg.apis.meta.v|
00000250  31 2e 41 50 49 56 65 72  73 69 6f 6e 73 0a 17 0a  |1.APIVersions...|
00000260  03 34 30 31 12 10 0a 0e  0a 0c 55 6e 61 75 74 68  |.401......Unauth|
00000270  6f 72 69 7a 65 64 52 05  68 74 74 70 73 12 d4 02  |orizedR.https...|
00000280  0a 08 2f 61 70 69 2f 76  31 2f 12 c7 02 12 c4 02  |../api/v1/......|
00000290  0a 07 63 6f 72 65 5f 76  31 1a 17 67 65 74 20 61  |..core_v1..get a|
000002a0  76 61 69 6c 61 62 6c 65  20 72 65 73 6f 75 72 63  |vailable resourc|
000002b0  65 73 2a 15 67 65 74 43  6f 72 65 56 31 41 50 49  |es*.getCoreV1API|
000002c0  52 65 73 6f 75 72 63 65  73 32 10 61 70 70 6c 69  |Resources2.appli|
000002d0  63 61 74 69 6f 6e 2f 6a  73 6f 6e 32 10 61 70 70  |cation/json2.app|
000002e0  6c 69 63 61 74 69 6f 6e  2f 79 61 6d 6c 32 23 61  |lication/yaml2#a|
000002f0  70 70 6c 69 63 61 74 69  6f 6e 2f 76 6e 64 2e 6b  |pplication/vnd.k|
00000300  75 62 65 72 6e 65 74 65  73 2e 70 72 6f 74 6f 62  |ubernetes.protob|
00000310  75 66 3a 10 61 70 70 6c  69 63 61 74 69 6f 6e 2f  |uf:.application/|
00000320  6a 73 6f 6e 3a 10 61 70  70 6c 69 63 61 74 69 6f  |json:.applicatio|
00000330  6e 2f 79 61 6d 6c 3a 23  61 70 70 6c 69 63 61 74  |n/yaml:#applicat|
00000340  69 6f 6e 2f 76 6e 64 2e  6b 75 62 65 72 6e 65 74  |ion/vnd.kubernet|
00000350  65 73 2e 70 72 6f 74 6f  62 75 66 4a 70 0a 55 0a  |es.protobufJp.U.|
00000360  03 32 30 30 12 4e 0a 4c  0a 02 4f 4b 12 46 0a 44  |.200.N.L..OK.F.D|
00000370  0a 42 23 2f 64 65 66 69  6e 69 74 69 6f 6e 73 2f  |.B#/definitions/|
00000380  69 6f 2e 6b 38 73 2e 61  70 69 6d 61 63 68 69 6e  |io.k8s.apimachin|
00000390  65 72 79 2e 70 6b 67 2e  61 70 69 73 2e 6d 65 74  |ery.pkg.apis.met|
000003a0  61 2e 76 31 2e 41 50 49  52 65 73 6f 75 72 63 65  |a.v1.APIResource|
000003b0  4c 69 73 74 0a 17 0a 03  34 30 31 12 10 0a 0e 0a  |List....401.....|
000003c0  0c 55 6e 61 75 74 68 6f  72 69 7a 65 64 52 05 68  |.UnauthorizedR.h|
000003d0  74 74 70 73 12 9a 26 0a  19 2f 61 70 69 2f 76 31  |ttps..&../api/v1|
000003e0  2f 63 6f 6d 70 6f 6e 65  6e 74 73 74 61 74 75 73  |/componentstatus|
000003f0  65 73 12 fc 25 12 c7 03  0a 07 63 6f 72 65 5f 76  |es..%.....core_v|
00000400  31 1a 24 6c 69 73 74 20  6f 62 6a 65 63 74 73 20  |1.$list objects |
00000410  6f 66 20 6b 69 6e 64 20  43 6f 6d 70 6f 6e 65 6e  |of kind Componen|
00000420  74 53 74 61 74 75 73 2a  19 6c 69 73 74 43 6f 72  |tStatus*.listCor|
00000430  65 56 31 43 6f 6d 70 6f  6e 65 6e 74 53 74 61 74  |eV1ComponentStat|
00000440  75 73 32 10 61 70 70 6c  69 63 61 74 69 6f 6e 2f  |us2.application/|
00000450  6a 73 6f 6e 32 10 61 70  70 6c 69 63 61 74 69 6f  |json2.applicatio|
00000460  6e 2f 79 61 6d 6c 32 23  61 70 70 6c 69 63 61 74  |n/yaml2#applicat|
00000470  69 6f 6e 2f 76 6e 64 2e  6b 75 62 65 72 6e 65 74  |ion/vnd.kubernet|
00000480  65 73 2e 70 72 6f 74 6f  62 75 66 32 1d 61 70 70  |es.protobuf2.app|
00000490  6c 69 63 61 74 69 6f 6e  2f 6a 73 6f 6e 3b 73 74  |lication/json;st|
000004a0  72 65 61 6d 3d 77 61 74  63 68 32 30 61 70 70 6c  |ream=watch20appl|
000004b0  69 63 61 74 69 6f 6e 2f  76 6e 64 2e 6b 75 62 65  |ication/vnd.kube|
000004c0  72 6e 65 74 65 73 2e 70  72 6f 74 6f 62 75 66 3b  |rnetes.protobuf;|
000004d0  73 74 72 65 61 6d 3d 77  61 74 63 68 3a 03 2a 2f  |stream=watch:.*/|
000004e0  2a 4a 62 0a 47 0a 03 32  30 30 12 40 0a 3e 0a 02  |*Jb.G..200.@.>..|
000004f0  4f 4b 12 38 0a 36 0a 34  23 2f 64 65 66 69 6e 69  |OK.8.6.4#/defini|
00000500  74 69 6f 6e 73 2f 69 6f  2e 6b 38 73 2e 61 70 69  |tions/io.k8s.api|
00000510  2e 63 6f 72 65 2e 76 31  2e 43 6f 6d 70 6f 6e 65  |.core.v1.Compone|
00000520  6e 74 53 74 61 74 75 73  4c 69 73 74 0a 17 0a 03  |ntStatusList....|
00000530  34 30 31 12 10 0a 0e 0a  0c 55 6e 61 75 74 68 6f  |401......Unautho|
00000540  72 69 7a 65 64 52 05 68  74 74 70 73 6a 1e 0a 13  |rizedR.httpsj...|
00000550  78 2d 6b 75 62 65 72 6e  65 74 65 73 2d 61 63 74  |x-kubernetes-act|
00000560  69 6f 6e 12 07 12 05 6c  69 73 74 0a 6a 51 0a 1f  |ion....list.jQ..|
00000570  78 2d 6b 75 62 65 72 6e  65 74 65 73 2d 67 72 6f  |x-kubernetes-gro|
00000580  75 70 2d 76 65 72 73 69  6f 6e 2d 6b 69 6e 64 12  |up-version-kind.|
00000590  2e 12 2c 67 72 6f 75 70  3a 20 22 22 0a 6b 69 6e  |..,group: "".kin|
000005a0  64 3a 20 43 6f 6d 70 6f  6e 65 6e 74 53 74 61 74  |d: ComponentStat|
000005b0  75 73 0a 76 65 72 73 69  6f 6e 3a 20 76 31 0a 4a  |us.version: v1.J|
000005c0  ab 03 0a a8 03 12 a5 03  1a a2 03 12 05 71 75 65  |.............que|
000005d0  72 79 1a f7 02 61 6c 6c  6f 77 57 61 74 63 68 42  |ry...allowWatchB|
000005e0  6f 6f 6b 6d 61 72 6b 73  20 72 65 71 75 65 73 74  |ookmarks request|
000005f0  73 20 77 61 74 63 68 20  65 76 65 6e 74 73 20 77  |s watch events w|
00000600  69 74 68 20 74 79 70 65  20 22 42 4f 4f 4b 4d 41  |ith type "BOOKMA|
00000610  52 4b 22 2e 20 53 65 72  76 65 72 73 20 74 68 61  |RK". Servers tha|
00000620  74 20 64 6f 20 6e 6f 74  20 69 6d 70 6c 65 6d 65  |t do not impleme|
00000630  6e 74 20 62 6f 6f 6b 6d  61 72 6b 73 20 6d 61 79  |nt bookmarks may|
00000640  20 69 67 6e 6f 72 65 20  74 68 69 73 20 66 6c 61  | ignore this fla|
00000650  67 20 61 6e 64 20 62 6f  6f 6b 6d 61 72 6b 73 20  |g and bookmarks |
00000660  61 72 65 20 73 65 6e 74  20 61 74 20 74 68 65 20  |are sent at the |
00000670  73 65 72 76 65 72 27 73  20 64 69 73 63 72 65 74  |server's discret|
00000680  69 6f 6e 2e 20 43 6c 69  65 6e 74 73 20 73 68 6f  |ion. Clients sho|
00000690  75 6c 64 20 6e 6f 74 20  61 73 73 75 6d 65 20 62  |uld not assume b|
000006a0  6f 6f 6b 6d 61 72 6b 73  20 61 72 65 20 72 65 74  |ookmarks are ret|
000006b0  75 72 6e 65 64 20 61 74  20 61 6e 79 20 73 70 65  |urned at any spe|
000006c0  63 69 66 69 63 20 69 6e  74 65 72 76 61 6c 2c 20  |cific interval, |
000006d0  6e 6f 72 20 6d 61 79 20  74 68 65 79 20 61 73 73  |nor may they ass|
000006e0  75 6d 65 20 74 68 65 20  73 65 72 76 65 72 20 77  |ume the server w|
000006f0  69 6c 6c 20 73 65 6e 64  20 61 6e 79 20 42 4f 4f  |ill send any BOO|
00000700  4b 4d 41 52 4b 20 65 76  65 6e 74 20 64 75 72 69  |KMARK event duri|
00000710  6e 67 20 61 20 73 65 73  73 69 6f 6e 2e 20 49 66  |ng a session. If|
00000720  20 74 68 69 73 20 69 73  20 6e 6f 74 20 61 20 77  | this is not a w|
00000730  61 74 63 68 2c 20 74 68  69 73 20 66 69 65 6c 64  |atch, this field|
00000740  20 69 73 20 69 67 6e 6f  72 65 64 2e 22 13 61 6c  | is ignored.".al|
00000750  6c 6f 77 57 61 74 63 68  42 6f 6f 6b 6d 61 72 6b  |lowWatchBookmark|
00000760  73 32 07 62 6f 6f 6c 65  61 6e a0 01 01 4a ef 09  |s2.boolean...J..|
00000770  0a ec 09 12 e9 09 1a e6  09 12 05 71 75 65 72 79  |...........query|
00000780  1a c7 09 54 68 65 20 63  6f 6e 74 69 6e 75 65 20  |...The continue |
00000790  6f 70 74 69 6f 6e 20 73  68 6f 75 6c 64 20 62 65  |option should be|
000007a0  20 73 65 74 20 77 68 65  6e 20 72 65 74 72 69 65  | set when retrie|
000007b0  76 69 6e 67 20 6d 6f 72  65 20 72 65 73 75 6c 74  |ving more result|
000007c0  73 20 66 72 6f 6d 20 74  68 65 20 73 65 72 76 65  |s from the serve|
000007d0  72 2e 20 53 69 6e 63 65  20 74 68 69 73 20 76 61  |r. Since this va|
000007e0  6c 75 65 20 69 73 20 73  65 72 76 65 72 20 64 65  |lue is server de|
000007f0  66 69 6e 65 64 2c 20 63  6c 69 65 6e 74 73 20 6d  |fined, clients m|
00000800  61 79 20 6f 6e 6c 79 20  75 73 65 20 74 68 65 20  |ay only use the |
00000810  63 6f 6e 74 69 6e 75 65  20 76 61 6c 75 [truncated 15741876 chars]
I0908 14:26:59.821125 3566087 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json" -H "User-Agent: kubectl/v1.26.1 (linux/amd64) kubernetes/8f94681" 'https://192.168.49.2:8443/apis/resources.teleport.dev/v5/namespaces/teleport-cluster/teleportroles/myrole'
I0908 14:26:59.869856 3566087 round_trippers.go:553] GET https://192.168.49.2:8443/apis/resources.teleport.dev/v5/namespaces/teleport-cluster/teleportroles/myrole 200 OK in 48 milliseconds
I0908 14:26:59.869894 3566087 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 32 ms Duration 48 ms
I0908 14:26:59.869904 3566087 round_trippers.go:577] Response Headers:
I0908 14:26:59.869917 3566087 round_trippers.go:580]     Cache-Control: no-cache, private
I0908 14:26:59.869926 3566087 round_trippers.go:580]     Content-Type: application/json
I0908 14:26:59.869935 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 5b99d38d-987f-45c5-a4fb-a8e0ffc2da4a
I0908 14:26:59.869944 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: e2b58b22-3630-4c5c-978d-e42e68ac62dd
I0908 14:26:59.869953 3566087 round_trippers.go:580]     Content-Length: 2337
I0908 14:26:59.869962 3566087 round_trippers.go:580]     Date: Fri, 08 Sep 2023 14:26:59 GMT
I0908 14:26:59.869971 3566087 round_trippers.go:580]     Audit-Id: b454b81b-33b9-4af4-91b4-956df550c3ec
I0908 14:26:59.870025 3566087 request.go:1171] Response Body: {"apiVersion":"resources.teleport.dev/v5","kind":"TeleportRole","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"resources.teleport.dev/v5\",\"kind\":\"TeleportRole\",\"metadata\":{\"annotations\":{},\"name\":\"myrole\",\"namespace\":\"teleport-cluster\"},\"spec\":{\"allow\":{\"rules\":[{\"resources\":[\"user\",\"role\"],\"verbs\":[\"list\",\"create\",\"read\",\"update\",\"delete\"]}]},\"options\":{\"create_host_user_mode\":0}}}\n"},"creationTimestamp":"2023-09-08T14:19:23Z","finalizers":["resources.teleport.dev/deletion"],"generation":1,"managedFields":[{"apiVersion":"resources.teleport.dev/v5","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:allow":{".":{},"f:rules":{}},"f:options":{".":{},"f:create_host_user_mode":{}}}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2023-09-08T14:19:23Z"},{"apiVersion":"resources.teleport.dev/v5","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"resources.teleport.dev/deletion\"":{}}}},"manager":"teleport-operator","operation":"Update","time":"2023-09-08T14:19:52Z"},{"apiVersion":"resources.teleport.dev/v5","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:teleportResourceID":{}}},"manager":"teleport-operator","operation":"Update","subresource":"status","time":"2023-09-08T14:20:05Z"}],"name":"myrole","namespace":"teleport-cluster","resourceVersion":"17376083","uid":"ca5ee6b4-31af-4ae3-ad86-e364f3289822"},"spec":{"allow":{"rules":[{"resources":["user","role"],"verbs":["list","create","read","update","delete"]}]},"options":{"create_host_user_mode":0}},"status":{"conditions":[{"lastTransitionTime":"2023-09-08T14:19:52Z","message":"Kubernetes CR was successfully decoded.","reason":"NoError","status":"True","type":"ValidStructure"},{"lastTransitionTime":"2023-09-08T14:20:04Z","message":"Teleport resource has the Kubernetes origin label.","reason":"OriginLabelMatching","status":"True","type":"TeleportResourceOwned"},{"lastTransitionTime":"2023-09-08T14:20:04Z","message":"Teleport resource was successfully reconciled, no error was returned by Teleport.","reason":"NoError","status":"True","type":"SuccessfullyReconciled"}],"teleportResourceID":0}}
I0908 14:26:59.872980 3566087 request.go:1171] Request Body: {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"resources.teleport.dev/v5\",\"kind\":\"TeleportRole\",\"metadata\":{\"annotations\":{},\"name\":\"myrole\",\"namespace\":\"teleport-cluster\"},\"spec\":{\"allow\":{\"rules\":[{\"resources\":[\"user\",\"role\"],\"verbs\":[\"list\",\"create\",\"read\",\"update\",\"delete\"]}]},\"options\":{\"create_host_user_mode\":\"keep\"}}}\n"}},"spec":{"options":{"create_host_user_mode":"keep"}}}
I0908 14:26:59.873066 3566087 round_trippers.go:466] curl -v -XPATCH  -H "User-Agent: kubectl/v1.26.1 (linux/amd64) kubernetes/8f94681" -H "Accept: application/json" -H "Content-Type: application/merge-patch+json" 'https://192.168.49.2:8443/apis/resources.teleport.dev/v5/namespaces/teleport-cluster/teleportroles/myrole?fieldManager=kubectl-client-side-apply&fieldValidation=Strict'
I0908 14:26:59.912671 3566087 round_trippers.go:553] PATCH https://192.168.49.2:8443/apis/resources.teleport.dev/v5/namespaces/teleport-cluster/teleportroles/myrole?fieldManager=kubectl-client-side-apply&fieldValidation=Strict 422 Unprocessable Entity in 39 milliseconds
I0908 14:26:59.912727 3566087 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 39 ms Duration 39 ms
I0908 14:26:59.912738 3566087 round_trippers.go:577] Response Headers:
I0908 14:26:59.912751 3566087 round_trippers.go:580]     Content-Length: 604
I0908 14:26:59.912760 3566087 round_trippers.go:580]     Date: Fri, 08 Sep 2023 14:26:59 GMT
I0908 14:26:59.912769 3566087 round_trippers.go:580]     Audit-Id: d19e983b-3467-49e1-b652-94cee5586a40
I0908 14:26:59.912778 3566087 round_trippers.go:580]     Cache-Control: no-cache, private
I0908 14:26:59.912786 3566087 round_trippers.go:580]     Content-Type: application/json
I0908 14:26:59.912800 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 5b99d38d-987f-45c5-a4fb-a8e0ffc2da4a
I0908 14:26:59.912810 3566087 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: e2b58b22-3630-4c5c-978d-e42e68ac62dd
I0908 14:26:59.913023 3566087 request.go:1171] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"TeleportRole.resources.teleport.dev \"myrole\" is invalid: spec.options.create_host_user_mode: Invalid value: \"string\": spec.options.create_host_user_mode in body must be of type integer: \"string\"","reason":"Invalid","details":{"name":"myrole","group":"resources.teleport.dev","kind":"TeleportRole","causes":[{"reason":"FieldValueTypeInvalid","message":"Invalid value: \"string\": spec.options.create_host_user_mode in body must be of type integer: \"string\"","field":"spec.options.create_host_user_mode"}]},"code":422}
The TeleportRole "myrole" is invalid: spec.options.create_host_user_mode: Invalid value: "string": spec.options.create_host_user_mode in body must be of type integer: "string"
@pschisa pschisa added bug kube-operator Issues related to Kube Operator c-kk Internal Customer Reference labels Sep 8, 2023
@pschisa
Copy link
Contributor Author

pschisa commented Sep 8, 2023

duplicate of #29686

@pschisa pschisa closed this as not planned Won't fix, can't repro, duplicate, stale Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug c-kk Internal Customer Reference kube-operator Issues related to Kube Operator
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pschisa