kedacore
`Restricted` (minimal) RBAC permission cannot `watch` and `list` secrets in Keda namespace in Keda-operator
Hi there,
We are currently using the Keda chart v2.13.2 and everything works perfectly. After we upgraded to v2.14.2 we are getting the following error in the component Keda-operator:
E0521 18:16:46.425051 1 reflector.go:147] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0521 18:16:50.015001 1 reflector.go:535] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
Expected Behavior
The Keda-operator would be up and running.
Actual Behavior
The Keda-operator is crashing.
Steps to Reproduce the Problem
- Using
v2.14.2of the helm chart - Put the following in the values:
permissions:
metricServer:
restrict:
secret: true
operator:
restrict:
secret: true
Specifications
- KEDA Version: v2.14 (Keda helm chart v2.14.2)
- Platform & Version: EKS v1.29
- Kubernetes Version: v1.29
We started seeing that issue aswell after upgrading to v2.14.2 (from v2.13.2).
We are using watchNamespace to restrict keda to a single application namespace that contains the ScaledObject resources. As a "workaround" we adjusted that setting to also include the keda namespace - this way the keda-operator service account gets permission to list secrets in the keda namespace.
# Before
watchNamespace: "my-application"
# Workaround
watchNamespace: "my-application,keda"
But we are not setting permissions.operator.restrict.secret - we are using the default value false:
permissions:
metricServer:
restrict:
secret: false
operator:
restrict:
secret: false
namesAllowList: []
Maybe some default permissions are missing that would resolve both scenarios?
