-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC file needs to sync with operator #250
Comments
I just moved a comment from an issue from the jaeger-operator to here. The text above was written by @majidazimi, I claim no credit for it :-) I believe that the problem might be that the Helm Charts need to synchronize with the cluster_role.yaml we have in the operator. |
Let me update the chart and send a pull request. |
@jpkrohling I made it look exactly like upstream (including specific verbs). Also pod security policy part at the end is preserved. Is it sufficient? What chart version should I choose to bump? Maybe 2.22.0? |
I think this is possibly duplicated by #241 ? This seems also to be complicated by jaegertracing/jaeger-operator#1431 which seems to mean the chart in its current form is impossible to get working with either Would be great to get a fix merged. What help do we need here? |
Could you guys merge this into the chart? |
Sadly this issue still persists with the latest version of the jaeger-operator chart |
@mattcopas I just updated yesterday and everything seems to work. The role that is generated has the following which solves the issue: ## Extra permissions
## This is an extra set of permissions that the Jaeger Operator might make use of if granted
## needed if support for injecting sidecars based on namespace annotation is required
- apiGroups:
- ""
resources:
- namespaces
verbs:
- 'get'
- 'list'
- 'watch'
## needed if support for injecting sidecars based on deployment annotation is required, across all namespaces
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
- update
- watch |
@mattcopas are you using the ClusterRole? You can get the same error with the individual namespace/Role model, I believe because the operator tries to access cluster-wide resources it doesn't have access to when operating in that mode. |
@chadlwilson Apologies, the error I'm seeing is in our application. I tried deploying a version of hotrod in a different namespace to the jaeger operator and things are working fine! :) |
The PR is merged and the issue is resolved. I think we can close this ticket. |
Can we doublecheck that this is truly fixed? This is still being reported, here's my comment in another open issue: |
The issue still exists in latest version. I'm using chart 2.21.1 with image 1.22.1, I've set the following options:
But I still see this log message:
E0525 08:30:16.437023 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:jaeger-operator:jaeger-operator" cannot list resource "namespaces" in API group "" at the cluster scope
But when I add
namespaces
to api groups""
, everything works.This is the role that helm has generated:
Originally posted by @majidazimi in jaegertracing/jaeger-operator#931 (comment)
The text was updated successfully, but these errors were encountered: