charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon kedacore

Keda operator cannot access cluster scoped CRDs with rolebindings when using watchNamespaces (Keda operator crashlooping)

Open fouadsemaan opened this issue 1 year ago • 1 comments

A new cluster scoped CRD was created with Keda 2.16.0 which requires a ClusterRolebinding which exists by default when NOT setting watchNamespaces. However, the ClusterRolebinding is replaced by an instance of a RoleBinding for each namespace enumerated in the watchNamespaces.

Expected Behavior

Keda is able to access all CRD instances including the latest cluster scoped CRD (ClusterCloudEventSource) whether using watchNamespaces or not.

Actual Behavior

Keda is not able to access ClusterCloudEventSource CRs when enabling watchNamespaces.

Steps to Reproduce the Problem

  1. Install Keda helm chart with a watch namespace helm install adpe-keda kedacore/keda --namespace keda --version 2.16.0 --set watchNamespace="myNamespace"
  2. Observe Keda operator logs for error related to accessing ClusterCloudEventSource
"Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal
/informers.go:106: Failed to watch *v1alpha1.ClusterCloudEventSource: failed to list *v1alpha1.ClusterCloudEventSource:
clustercloudeventsources.eventing.keda.sh is forbidden: User \"system:serviceaccount:keda:keda-operator\" cannot list re
source \"clustercloudeventsources\" in API group \"eventing.keda.sh\" at the cluster scope" logger="UnhandledError"
  1. Keda operator crashloops
  2. Error goes away when adding a separate clusterrole/binding to access ClusterCloudEventSource CRs:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: keda-operator-fouad
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: keda-operator-fouad
subjects:
- kind: ServiceAccount
  name: keda-operator
  namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda-operator-fouad
rules:
- apiGroups:
  - eventing.keda.sh
  resources:
  - clustercloudeventsources
  - clustercloudeventsources/status
  verbs:
  - get
  - list
  - patch
  - update
  - watch

This is unrelated to the more secure RBAC change and has more to do with not using the ClusterRoleBinding when enabling watchNamespaces

Specifications

  • **KEDA Version: 2.16.0
  • Platform & Version: Please elaborate
  • Kubernetes Version: > 1.27
  • Scaler(s): Please elaborate

fouadsemaan avatar Dec 12 '24 20:12 fouadsemaan

I think this was fixed in https://github.com/kedacore/charts/pull/714, running v2.17.1 no longer results in the crashloop.

malmor avatar Jun 16 '25 13:06 malmor