/component-templates/nested-controllermanager/nested-controllermanager-statefulset-template.yaml: permission denied

[jichenjc]

What steps did you take and what happened:
[A clear and concise description on how to REPRODUCE the bug.]

I am testing my PR and I got following issue
then I switch to main branch with a new git clone and still have same issue , not sure what happened by using https://github.com/kubernetes-sigs/cluster-api-provider-nested/blob/main/docs/dev-quickstart.md

I0802 08:04:28.080894       1 nestedcontrolplane_controller.go:186] controllers/controlplane/NestedControlPlane "msg"="Reconcile NestedControlPlane" "cluster"="cluster-sample" "nestedcontrolplane"={"Namespace":"default","Name":"nestedcontrolplane-sample"}
I0802 08:04:28.081930       1 nestedcontrolplane_controller.go:238] controllers/controlplane/NestedControlPlane "msg"="Component is not ready" "cluster"="cluster-sample" "nestedcontrolplane"={"Namespace":"default","Name":"nestedcontrolplane-sample"} "component"={"kind":"NestedEtcd","name":"nestedetcd-sample","apiVersion":"controlplane.cluster.x-k8s.io/v1alpha4"}
I0802 08:04:28.082083       1 nestedcontrolplane_controller.go:238] controllers/controlplane/NestedControlPlane "msg"="Component is not ready" "cluster"="cluster-sample" "nestedcontrolplane"={"Namespace":"default","Name":"nestedcontrolplane-sample"} "component"={"kind":"NestedAPIServer","name":"nestedapiserver-sample","apiVersion":"controlplane.cluster.x-k8s.io/v1alpha4"}
I0802 08:04:28.082176       1 nestedcontrolplane_controller.go:238] controllers/controlplane/NestedControlPlane "msg"="Component is not ready" "cluster"="cluster-sample" "nestedcontrolplane"={"Namespace":"default","Name":"nestedcontrolplane-sample"} "component"={"kind":"NestedControllerManager","name":"nestedcontrollermanager-sample","apiVersion":"controlplane.cluster.x-k8s.io/v1alpha4"}
I0802 08:04:44.439011       1 nestedcontrollermanager_controller.go:49] controllers/controlplane/NestedControllerManager "msg"="Reconciling NestedControllerManager..." "nestedcontrollermanager"={"Namespace":"default","Name":"nestedcontrollermanager-sample"}
I0802 08:04:44.439120       1 nestedcontrollermanager_controller.go:54] controllers/controlplane/NestedControllerManager "msg"="creating NestedControllerManager" "nestedcontrollermanager"={"Namespace":"default","Name":"nestedcontrollermanager-sample"} "name"="nestedcontrollermanager-sample" "namespace"="default"
E0802 08:04:44.439309       1 nestedcontrollermanager_controller.go:108] controllers/controlplane/NestedControllerManager "msg"="fail to create NestedControllerManager StatefulSet" "error"="fail to generate the Statefulset object: fail to fetch the default template for the NestedControllerManager StatefulSet: open /component-templates/nested-controllermanager/nested-controllermanager-statefulset-template.yaml: permission denied" "nestedcontrollermanager"={"Namespace":"default","Name":"nestedcontrollermanager-sample"}
E0802 08:04:44.439430       1 controller.go:304] controller-runtime/manager/controller/nestedcontrollermanager "msg"="Reconciler error" "error"="fail to generate the Statefulset object: fail to fetch the default template for the NestedControllerManager StatefulSet: open /component-templates/nested-controllermanager/nested-controllermanager-statefulset-template.yaml: permission denied" "name"="nestedcontrollermanager-sample" "namespace"="default" "reconciler group"="controlplane.cluster.x-k8s.io" "reconciler kind"="NestedControllerManager"
I0802 08:04:46.479415       1 nestedapiserver_controller.go:54] controllers/controlplane/NestedAPIServer "msg"="Reconciling NestedAPIServer..." "nestedapiserver"={"Namespace":"default","Name":"nestedapiserver-sample"}
I0802 08:04:46.479568       1 nestedapiserver_controller.go:59] controllers/controlplane/NestedAPIServer "msg"="creating NestedAPIServer" "nestedapiserver"={"Namespace":"default","Name":"nestedapiserver-sample"} "name"="nestedapiserver-sample" "namespace"="default"
E0802 08:04:59.336897       1 nestedapiserver_controller.go:117] controllers/controlplane/NestedAPIServer "msg"="fail to create NestedAPIServer StatefulSet" "error"="fail to generate the Statefulset object: fail to fetch the default template for the NestedAPIServer StatefulSet: open /component-templates/nested-apiserver/nested-apiserver-statefulset-template.yaml: permission denied" "nestedapiserver"={"Namespace":"default","Name":"nestedapiserver-sample"}
E0802 08:04:59.336993       1 controller.go:304] controller-runtime/manager/controller/nestedapiserver "msg"="Reconciler error" "error"="fail to generate the Statefulset object: fail to fetch the default template for the NestedAPIServer StatefulSet: open /component-templates/nested-apiserver/nested-apiserver-statefulset-template.yaml: permission denied" "name"="nestedapiserver-sample" "namespace"="default" "reconciler group"="controlplane.cluster.x-k8s.io" "reconciler kind"="NestedAPIServer"

What did you expect to happen:

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• cluster-api-provider-nested version:
• Minikube/KIND version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

/kind bug
[One or more /area label. See https://github.com/kubernetes-sigs/cluster-api-provider-nested/labels?q=area for the list of labels]

[jichenjc]

Dockerfile updated to

#FROM gcr.io/distroless/static:nonroot
FROM alpine:latest

# USER 65532:65532

can solve the problem, not sure why suddenly it start to have issue

[jichenjc]

COPY controlplane/nested/component-templates/ ./component-templates/
USER 65532:65532
ENTRYPOINT ["/manager"]

seems copy the folder doesn't set the permission in my env

[jichenjc]

I tried to give r to the folder we copied but faced
gcr.io/distroless/static:nonroot doesn't have chmod utlity issue ..

[jichenjc]

I used gcr.io/distroless/static:debug as base image (instaend of nonroot)
and found
/ $ ls -lh component-templates/
total 12K
drwx------ 2 root root 4.0K Aug 4 01:43 nested-apiserver
drwx------ 2 root root 4.0K Aug 4 01:43 nested-controllermanager
drwx------ 2 root root 4.0K Aug 4 01:43 nested-etcd

[jichenjc]

it turn out if we copy the files to / , then it become own by root and 600 mode so 65532 user (nonroot user) not able to access the folder, not sure what happened though..

so I think better to copy files to /home/nonroot so that contianer run with 65532 ID should be able to see /home/nonroot data in any case

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.