This repository was archived by the owner on Apr 24, 2023. It is now read-only.
Operator appears to need cluster scope permissions so can't be in own namespace? #35
Description
Description
I have created a CSV and deployed the operator using that and the roles, service account and role binding in the deploy/ directory. I have deployed it into an operatorgroup having one namespace in it.
Upon doing that I see constant errors in the logs, presumably as it looks for the gitea CRs to act on.
Expected Behavior
Operator deploys without permission problems
Actual Behavior
Operator logs show this as soon as it is deployed.
E0206 12:27:37.686923 1 reflector.go:205] github.com/integr8ly/gitea-operator/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126:
Failed to list *v1alpha1.Gitea: giteas.integreatly.org is forbidden:
User "system:serviceaccount:playground:gitea-operator" cannot list giteas.integreatly.org at the cluster scope:
no RBAC policy matched
Environment
- Operating system: (E.g RHEL 7.6 )
- OpenShift version:
~$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO
Server https://ose.cms.solute.us:8443
openshift v3.11.154
kubernetes v1.11.0+d4cacc
- OLM version
upgraded OpenShift 3.11 to use 0.12.0, functioning well with multiple other operators including our own. - Project Version/Tag: (E.g release-1.0.1)
06b13cd (tag: v0.0.5)
Steps to reproduce
Create OperatorGroup
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: playground
namespace: playground
spec:
targetNamespaces:
- playground
Create RBAC requirements
oc create -f deploy/roles.yaml
oc create -f deploy/role_binding.yaml
oc create -f deploy/service_account.yaml
Create CSV in playground namespace
oc create -f gitea.csv -n playground
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
annotations:
capabilities: Basic Install
name: gitea-operator.v0.0.5
namespace: placeholder
spec:
apiservicedefinitions: {}
customresourcedefinitions:
owned:
- kind: Gitea
name: giteas.integreatly.org
version: v1alpha1
displayName: Gitea
description: Provides one managed Gitea instance per CR, deleted upon deletion of the CR.
description: An Operator that installs Gitea. Installation is performed by creating a custom resource of kind Gitea. You can uninstall Gitea by removing this resource. The Operator will also watch all Gitea resources and reinstall them if they are deleted.
displayName: Gitea Operator
install:
spec:
deployments:
- name: gitea-operator
spec:
replicas: 1
selector:
matchLabels:
name: gitea-operator
strategy: {}
template:
metadata:
labels:
name: gitea-operator
spec:
containers:
- command:
- gitea-operator
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: gitea-operator
- name: TEMPLATE_PATH
value: /usr/local/bin/templates
image: quay.io/integreatly/gitea-operator:master
imagePullPolicy: Always
name: gitea-operator
ports:
- containerPort: 60000
name: metrics
resources: {}
serviceAccountName: gitea-operator
permissions:
- rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- integreatly.org
resources:
- '*'
verbs:
- '*'
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- '*'
serviceAccountName: gitea-operator
strategy: deployment
installModes:
- supported: true
type: OwnNamespace
- supported: true
type: SingleNamespace
- supported: false
type: MultiNamespace
- supported: true
type: AllNamespaces
maturity: alpha
provider: {}
version: 0.0.5
Check out the logs
oc logs $(oc get pods -l name=gitea-operator -n playground -o=custom-columns="name:.metadata.name" --no-headers)