Longhorn on K3s PV attach error

Hi, i’m trying to run longhorn on K3S cluster but get the following error when i deploy anything that uses a longhorn PVC (i used the deployment.yaml from the longhorn/examples)

Warning  FailedAttachVolume  74s (x9 over 3m23s)    attachdetach-controller  AttachVolume.Attach failed for volume "pvc-fd0caf73-b1e8-11e9-9ceb-22f1a8780bed" : volumeattachments.storage.k8s.io is forbidden: User "system:node:k3scluster" cannot create resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope: can only get individual resources of this type

Something about permissions not right here? Searched for an answer but could not find any.
I’m just starting with kubernetes and do not know how to fix this.
Anyone?
Thanks in advance
Jelle

@jelleb

Can you list the reproduce steps here? (Assuming you’ve installed longhorn using the instruction at github.com/longhorn/longhorn)

Hello,

Yes, i have the k3scluster installed with:
curl -sfL https://get.k3s.io | sh -s - --no-deploy traefik --no-deploy servicelb
In 2 proxmox vm’s(1 master, 1 node) with Ubuntu 18.04.2 lts, only containerd no docker.
I use metallb as loadbalancer and my own traefik (not yet installed)
iscisi is installed and running.
metallb is running and longhorn ui gets an ip address from the ip pool.
I have used both the kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/master/deploy/longhorn.yaml and the helm install ./longhorn/chart --name longhorn --namespace longhorn-system
after cloning the repository, i followed the steps to remove longhorn before installing it again with helm.
Both give the same result, i also tried the # manually set root directory for csi and following lines uncommented in longhorn.yaml but that also gave the same result.
If I use the rancher local-path sc or OpenEbs sc the volume gets mounted in the pod ok, so it seems longhorn related. (I removed longhorn before installing openebs just to be sure)
There is nothing more running in the cluster, I use the master and 1 node so set the replicas to 2.
If you need more information please let me know.

Jelle

Both local path and openEBS are not using Kubernetes CSI driver, which is the one has issue here.

Can you reinstall Longhorn, starting the workload, and send us support bundle (you can find it in the UI’s footer)? You can send it to longhorn-support-bundle@rancher.com

Thanks.

Will do, hope you find something.

Jelle

FYI, we’re also having the same issue on a k3s cluster (0.7.0 and 0.8.0), but with a different CSI driver.

The error seems to be coming from the node authorizer, but this might be misleading: both the node authorizer and the RBAC authorizer return DecisionNoOpinion, so the error could be coming from the last authorizer to return DecitionNoOpinion.
If that’s the case, the request should actually have been authorized by RBAC. Somehow the attachdetach-controller seems to not be using it’s service account.