tidb-operator icon indicating copy to clipboard operation
tidb-operator copied to clipboard
verified publisher icon pingcap

`clusterScoped` monitor attempts to create ClusterRole and ClusterRoleBinding with namespaced owner

Open matthew-inamdar opened this issue 2 years ago • 0 comments

Bug Report

This issue is the continuation of #5296

What version of Kubernetes are you using?

v1.27.1

What version of TiDB Operator are you using?

v1.4.4

What storage classes exist in the Kubernetes cluster and what are used for PD/TiKV pods?

NAME                 PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
standard (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  16m

What's the status of the TiDB cluster pods?

NAME                                      READY   STATUS    RESTARTS   AGE   IP           NODE           NOMINATED NODE   READINESS GATES
tidb-controller-manager-66b6cbf9b-j6948   1/1     Running   0          15m   10.244.1.4   tilt-worker2   <none>           <none>
tidb-scheduler-64cf64d6cc-bmlfp           2/2     Running   0          15m   10.244.1.5   tilt-worker2   <none>           <none>
tikv-monitor-monitor-0                    4/4     Running   0          14m   10.244.1.6   tilt-worker2   <none>           <none>

What did you do?

Create a TidbMonitor resource with the spec.clusterScoped value set to true.

What did you expect to see? A ClusterRole and ClusterRoleBinding without a namespaced owner, and some other implementation for cleanup (such as a finalizer).

What did you see instead? A ClusterRole and ClusterRoleBinding created with the namespaced TidbMonitor resource as an owner along with the following error logs repeatedly being written:

E0925 11:44:54.670333       1 monitor_manager.go:443] tm[tikv-operator/tikv-monitor]'s clusterrole failed to sync, err: cluster-scoped resource must not have a namespace-scoped owner, owner's namespace tikv-operator
E0925 11:44:54.670924       1 monitor_manager.go:229] tm[tikv-operator/tikv-monitor]'s rbac failed to sync,err: cluster-scoped resource must not have a namespace-scoped owner, owner's namespace tikv-operator
I0925 11:44:54.675508       1 event.go:282] Event(v1.ObjectReference{Kind:"TidbMonitor", Namespace:"tikv-operator", Name:"tikv-monitor", UID:"d55c08eb-3cff-48a4-9e9f-d44c33b979dc", APIVersion:"pingcap.com/v1alpha1", ResourceVersion:"1286", FieldPath:""}): type: 'Warning' reason: 'FailedSync' Sync TidbMonitor[tikv-operator/tikv-monitor] Statefulset failed, err:cluster-scoped resource must not have a namespace-scoped owner, owner's namespace tikv-operator
E0925 11:44:54.676379       1 tidb_monitor_controller.go:92] TidbMonitor: tikv-operator/tikv-monitor, sync failed, err: cluster-scoped resource must not have a namespace-scoped owner, owner's namespace tikv-operator

matthew-inamdar avatar Sep 25 '23 12:09 matthew-inamdar