k8s icon indicating copy to clipboard operation
k8s copied to clipboard
verified publisher icon nats-io

[helm/nats-operator] nats-operator appears unable to do an operation that RBAC allows it to do

Open jyaworski opened this issue 5 years ago • 3 comments

Hello:

Following the same process as #160 outlines, I appear to be unable to list namespaces even though the RBAC specifically allows it. I'm running with clusterScoped: false and everything is in the same nats-io namespace.

time="2020-11-18T13:55:48Z" level=info msg="nats-operator Version: 0.7.4"
time="2020-11-18T13:55:48Z" level=info msg="Git SHA: b96068c"
time="2020-11-18T13:55:48Z" level=info msg="Go Version: go1.15.1"
time="2020-11-18T13:55:48Z" level=info msg="Go OS/Arch: linux/amd64"
time="2020-11-18T13:55:48Z" level=info msg="nats-operator is operating at the namespace sc
ope in the \"nats-io\" namespace"
time="2020-11-18T13:56:05Z" level=info msg="Event(v1.ObjectReference{Kind:\"Endpoints\", N
amespace:\"nats-io\", Name:\"nats-operator\", UID:\"9bcb3cdf-1545-42b2-beff-131778e7d117\"
, APIVersion:\"v1\", ResourceVersion:\"58023216\", FieldPath:\"\"}): type: 'Normal' reason
: 'LeaderElection' nats-operator-in-cluster-nats-operator-7fb79bdcb5-t4v4g became leader"
time="2020-11-18T13:56:05Z" level=info msg="started workers" pkg=controller
E1118 13:56:05.972655       1 generic.go:108] error syncing "nats-io/nats-cluster": failed
 to create config secret: namespaces is forbidden: User "system:serviceaccount:nats-io:nat
s-operator" cannot list resource "namespaces" in API group "" at the cluster scope

The code that appears to allow this is here, but at the cluster scope seems to indicate that the RBAC needs more permissions or some other misconfiguration is happening. Any ideas?

jyaworski avatar Nov 18 '20 14:11 jyaworski

Hey @jyaworski, I'm encountering the exact same issue, tried it with both cluster.create=true and through manifests.

Did you manage to work around this in the end?

hpdobrica avatar Jan 27 '21 15:01 hpdobrica

@hpdobrica I did. I did the following, using a separate manifest to make the cluster:

cluster:
  # done separately
  create: false
  namespace: nats-io
clusterScoped: true

It looks like the operator assumes it has ClusterRole even when clusterScoped is set to false.

jyaworski avatar Jan 27 '21 15:01 jyaworski

Thanks a lot for taking the time to respond, it worked like a charm!

hpdobrica avatar Jan 27 '21 15:01 hpdobrica

Closing due to age of issue; if experiencing in current versions please open a new issue.

caleblloyd avatar May 03 '23 17:05 caleblloyd