-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins: 2.240 (running on k8s in a dedicated namespace)
Hi,
We've been seeing the exception below for a while now. Since upgrading to Jenkins 2.240 and Kubernetes Plugin 1.26 it has started to add a permanent notification every N minutes. When I logged in today, there were about 9480 notifications and it was keeping on adding new notifications. Those won't go away until you restart Jenkins. 
Failed to initialize Kubernetes secret providerio.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.43.0.1/api/v1/namespaces/jenkins/secrets?labelSelector=jenkins.io%2Fcredentials-type. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. secrets is forbidden: User "system:serviceaccount:jenkins:default" cannot list resource "secrets" in API group "" in the namespace "jenkins". at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:568) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:505) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:471) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:430) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:412) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.listRequestHelper(BaseOperation.java:151) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:621) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:70) at com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.KubernetesCredentialProvider.startWatchingForSecrets(KubernetesCredentialProvider.java:115) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104) at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175) at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296) at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131) at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214) at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
I'm not sure why is it complaining, since executing a curl request to the above endpoint using the jenkin's user token gives a successful result (it simply has no secrets configured in the namespace):
$ curl -k "https://10.43.0.1/api/v1/namespaces/jenkins/secrets?labelSelector=jenkins.io%2Fcredentials-type" -H "Authorization: Bearer $JENKINS_USER_TOKEN" { "kind": "SecretList", "apiVersion": "v1", "metadata": { "selfLink": "/api/v1/namespaces/jenkins/secrets", "resourceVersion": "63369926" }, "items": [] }
