Running Juju charms on K3s asks for `juju trust`

astrojuanlu · 15 December 2025 08:44

I’ve been running Juju charms on MicroK8s without problems so far.

I wanted to test another minimal Kubernetes distribution for development and settled on K3s, which seems popular and lightweight. Everything mostly works, except for this:

unit-mysql-k8s-2: 09:27:15 ERROR unit.mysql-k8s/2.juju-log database:5: Kubernetes service creation failed: `juju trust` needed                                                                                                                                                  
unit-mysql-k8s-2: 09:27:15 ERROR unit.mysql-k8s/2.juju-log database:5: Kubernetes service creation failed: services is forbidden: User "system:serviceaccount:jubilant-62f41b83:mysql-k8s" cannot create resource "services" in API group "" in the namespace "jubilant-62f41b83
"                                                                                                                                       
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/lightkube/core/generic_client.py", line 235, in raise_for_status
    resp.raise_for_status()                                                                                                             
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/httpx/_models.py", line 761, in raise_for_status
    raise HTTPStatusError(message, request=request, response=self)                                                                                                                                                                                                              
httpx.HTTPStatusError: Client error '403 Forbidden' for url 'https://10.43.0.1/api/v1/namespaces/jubilant-62f41b83/services'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403                     
                                                                    
During handling of the above exception, another exception occurred: 
                                                                                                                                        
Traceback (most recent call last):                                                                                                      
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/src/k8s_helpers.py", line 85, in create_endpoint_services                                                                                                                                                                   
    self.client.create(service)                                                                                                                                                                                                                                                 
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/lightkube/core/client.py", line 552, in create                                                                                                                                            
    return self._client.request(                                                                                                                                                                                                                                                
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/lightkube/core/generic_client.py", line 311, in request
    return self.handle_response(method, resp, br)
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/lightkube/core/generic_client.py", line 251, in handle_response
    self.raise_for_status(resp)                                     
  File "/var/lib/juju/agents/unit-mysql-k8s-2/charm/venv/lib/python3.10/site-packages/lightkube/core/generic_client.py", line 237, in raise_for_status
    raise transform_exception(e)                                    
lightkube.core.exceptions.ApiError: services is forbidden: User "system:serviceaccount:jubilant-62f41b83:mysql-k8s" cannot create resource "services" in API group "" in the namespace "jubilant-62f41b83"

This is easily fixed by doing juju trust mysql-k8s. However, I’d like to avoid that if possible, so that it can work with no manual intervention, just like with MicroK8s. What should I do?

carlcsaposs · 16 December 2025 08:32

I think the requirement for juju trust may come from the mysql-k8s charm (since it creates Kubernetes services)

I believe you would see the same behavior on microk8s if the rbac addon is enabled

From the charm developer side, it could be useful to add a status to inform the user that trust is needed (if mysql-k8s does not already have such a status)—e.g. https://canonical-charm-refresh.readthedocs-hosted.com/latest/user-experience/status/#kubernetes-app-not-trusted

astrojuanlu · 17 December 2025 18:02

Thanks @carlcsaposs !

I just tested on a clean machine, microk8s (classic, not strict), and rbac add-on enabled, and indeed I get errors until I do juju trust mysql-k8s --scope=cluster. So there’s nothing special about k3s here.