RealTheory Collector Logs Contain Unable to get the storage classes Error

Background

RealTheory can provide the most accurate cost analysis for persistent volumes when it can access the storage classes in your Kubernetes environment. If you see the "unable to get the storage classes" error in the RealTheory collector log, you must amend the cluster role in the RealTheory deployment to provide the required access.

Full Error Message Text

unable to get the storage classes from the k8s control plane. Please check RBAC permissions on API group storage.k8s.io.: cannot get the kubernetes storage classes from the K8s master: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:real-theory-system:real-theory-collector" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope

Solution

To ensure the most accurate cost analysis, you must update the deployment manifest applied to the Kubernetes cluster to provide the required access to the registered storage classes. There are two ways to do this depending on whether you have access to the original manifest or not.

Procedure Using the Original Deployment Manifest

1. Use either of the following commands to check whether the RealTheory collector can access the registered storage classes:

   • kubectl auth can-i get storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   • kubectl auth can-i list storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   The output from the command will be no if the RealTheory collector cannot access the storage classes.

2. Add the following rule to the kind: ClusterRole section of the RealTheory deployment manifest:
   - apiGroups: [storage.k8s.io]
resources: ["*"]
verbs: [get, watch, list]

3. Apply the updated manifest to the cluster:

   apply -f <filename>

   where <filename> is the path to the RealTheory Collector configuration document.

4. Use either of the following commands to verify that the RealTheory collector can now access the storage classes:

   • kubectl auth can-i get storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   • kubectl auth can-i list storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   The output from the command will be yes.

Procedure Using a New Deployment Manifest

1. Use either of the following commands to check whether the RealTheory collector can access the registered storage classes:

   • kubectl auth can-i get storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   • kubectl auth can-i list storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   The output from the command will be no if the RealTheory collector cannot access the storage classes.

2. Log in to RealTheory and navigate to Settings > Agent > Deployment.

3. Customize the deployment manifest using the name, description, labels, and proxy settings previously used for the cluster.

4. Apply the updated manifest to the cluster:

   apply -f <filename>

   where <filename> is the path to the RealTheory Collector configuration document.

5. Use either of the following commands to verify that the RealTheory collector can now access the storage classes:

   • kubectl auth can-i get storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   • kubectl auth can-i list storageclass --as=system:serviceaccount:real-theory-system:real-theory-collector --all-namespaces

   The output from the command will be yes.