OperatorHub install forbidden: User "system:serviceaccount:operators:redis-operator"

[haliliceylan]

What version of redis operator are you using?

I0914 23:45:09.633058       1 request.go:665] Waited for 1.042501113s due to client-side throttling, not priority and fairness, request: GET:https://10.233.0.1:443/apis/rabbitmq.com/v1alpha1?timeout=32s
{"level":"info","ts":1694735110.5423458,"logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":1694735110.5429115,"logger":"setup","msg":"starting manager"}
{"level":"info","ts":1694735110.543425,"msg":"Starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"}
{"level":"info","ts":1694735110.5434537,"msg":"Starting server","kind":"health probe","addr":"[::]:8081"}
I0914 23:45:10.543527       1 leaderelection.go:248] attempting to acquire leader lease operators/6cab913b.redis.opstreelabs.in...
I0914 23:45:27.905378       1 leaderelection.go:258] successfully acquired lease operators/6cab913b.redis.opstreelabs.in
{"level":"info","ts":1694735127.905758,"logger":"controller.redisreplication","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisReplication","source":"kind source: *v1beta1.RedisReplication"}
{"level":"info","ts":1694735127.9057643,"logger":"controller.redis","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"Redis","source":"kind source: *v1beta1.Redis"}
{"level":"info","ts":1694735127.9059448,"logger":"controller.redis","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"Redis"}
{"level":"info","ts":1694735127.9059248,"logger":"controller.redisreplication","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisReplication"}
{"level":"info","ts":1694735127.905845,"logger":"controller.redissentinel","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisSentinel","source":"kind source: *v1beta1.RedisSentinel"}
{"level":"info","ts":1694735127.9060693,"logger":"controller.rediscluster","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisCluster","source":"kind source: *v1beta1.RedisCluster"}
{"level":"info","ts":1694735127.9060426,"logger":"controller.redissentinel","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisSentinel"}
{"level":"info","ts":1694735127.9061449,"logger":"controller.rediscluster","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisCluster"}
W0914 23:45:27.912507       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.912410       1 event.go:267] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"6cab913b.redis.opstreelabs.in.1784e89ea72c7975", GenerateName:"", Namespace:"operators", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ConfigMap", Namespace:"operators", Name:"6cab913b.redis.opstreelabs.in", UID:"c4d00c00-3ecd-4136-8eb5-bb29633bd02c", APIVersion:"v1", ResourceVersion:"37574", FieldPath:""}, Reason:"LeaderElection", Message:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6 became leader", Source:v1.EventSource{Component:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6", Host:""}, FirstTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905335669, time.Local), LastTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905335669, time.Local), Count:1, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:operators:redis-operator" cannot create resource "events" in API group "" in the namespace "operators"' (will not retry!)
E0914 23:45:27.912616       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:27.912877       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.912916       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.918988       1 event.go:267] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"6cab913b.redis.opstreelabs.in.1784e89ea72cc785", GenerateName:"", Namespace:"operators", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"Lease", Namespace:"operators", Name:"6cab913b.redis.opstreelabs.in", UID:"948b9e3a-f9e6-4af9-a28f-85552183b762", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"37575", FieldPath:""}, Reason:"LeaderElection", Message:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6 became leader", Source:v1.EventSource{Component:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6", Host:""}, FirstTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905355653, time.Local), LastTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905355653, time.Local), Count:1, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:operators:redis-operator" cannot create resource "events" in API group "" in the namespace "operators"' (will not retry!)
W0914 23:45:29.171454       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:29.171492       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:29.249530       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:29.249578       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:31.361716       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:31.361785       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:31.774802       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:31.774856       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:35.994622       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:35.994676       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:38.042719       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:38.042764       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:46.816677       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:46.816721       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:47.329791       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:47.329838       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:05.994253       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:05.994294       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:12.293273       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:12.293310       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:39.202613       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:39.202683       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope

redis-operator version: 0.15.0

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (kubectl version)?

kubectl version Output

$ Client Version: v1.27.4
Kustomize Version: v5.0.1
Server Version: v1.27.5

What did you do? I just install from operatorhub with this yaml

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: my-redis-operator
  namespace: operators
spec:
  channel: stable
  name: redis-operator
  source: operatorhubio-catalog
  sourceNamespace: olm

What did you expect to see?

It should run.

What did you see instead?

A lot of errors

[abjklk]

Looks like #526 was not fixed ?

As mentioned in #526 ,

The operator failed to start because the ClusterRole assigned to the ServiceAccount was missing permissions for redissentinels and redisreplications and their respective subresources /finalizers and /status and it is trying to watch those resources. After manually adding the resources and the respective subresources manually it started up as expected.

[Elyytscha]

our prometheus alerted about this, operator is not usable per default via olm

[haliliceylan]

Is there any update regarding this ?