Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jaeger Operator Chart missing list permisson #241

Open
cfontes opened this issue Apr 29, 2021 · 5 comments
Open

Jaeger Operator Chart missing list permisson #241

cfontes opened this issue Apr 29, 2021 · 5 comments

Comments

@cfontes
Copy link

cfontes commented Apr 29, 2021

Hi,

First, thanks for this. It's super helpful.

But we just had an issue while deploying the operator with this chart, the log message we got was

"pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:observability:jaeger-operator" cannot list resource "namespaces" in API group "" at the cluster scope"

After some investigation it looks like this chart is missing the list permission on some resources, and when comparing the Helm Role.YAML file to Jaeger-Operator there are some differences and specifically you see all list permissions are missing.

After applying the Jaeger-Operator file to our cluster, the Jaeger Operator was back to normal and deployed Jaeger and all it's dependencies.

@MrAprksn
Copy link

MrAprksn commented May 4, 2021

Same here.
When installing jaeger-operator with rbac.clusterRole: true created ClusterRole is missing - namespaces permission in apiGroups ""

@tirumerla
Copy link

I'm running into the same issue. Would be great to fix this. As a workaround i have created custom template with another ClusterRole, ClusterRoleBinding attached to the same serviceaccount created with the chart.

@perezjasonr
Copy link

I'm running into this issue as well, with clusterRole false

rbac:
  # Specifies whether RBAC resources should be created
  create: true
  clusterRole: false

even with clusterRole false, its trying to list namespaces:

Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:observability:jaeger-operator" cannot list resource "namespaces" in API group "" at the cluster scope

but we wanted our jaeger to be more limited, is this not allowed? if so why are we allowed to set this to false?

@perezjasonr
Copy link

it looks like it made a role and put namespaces anyways:

apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
...
...
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - clusterrolebindings
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch

but i guess my question is why is it trying to list namespaces if we dont want it to have a clusterrole, is confining jaeger to an ns not supported anymore?

@sereneshikari
Copy link

but i guess my question is why is it trying to list namespaces if we dont want it to have a clusterrole, is confining jaeger to an ns not supported anymore?

Hey @perezjasonr, I know it's almost been a year since you last commented here but were you able to figure out the reason for this? I'm running into the same problem with the latest Jaeger operator (1.38.0 at the time of writing)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants