-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to list namespaces error when not using cluster-wide mode #1431
Comments
@ediezh could you please provide the deployment that is being used by the operator?
I'm especially interested in the value of the |
@jpkrohling here is the deployment.
|
It does look like a bug to me: the operator shouldn't be looking at all namespaces when it's restricted to one. @rkukura, are you able to take a look at this one? |
ping @rkukura, are you able to work on this soon? |
FWIW, in addition to the error about listing namespaces, I also got |
bumping this as the current operator with create enabled does not install the CR. Setting |
Adding this little snippet to the role will fix it: - apiGroups:
- ''
resources:
- namespaces
verbs:
- list
- watch |
@Morriz will you open PR about it? |
sure |
I'm not sure but
|
don't think so. I saw no more errors without it... |
We have this already listed in the cluster role: jaeger-operator/deploy/cluster_role.yaml Lines 191 to 199 in 27a0cd1
Is that not sufficient? |
I have a feeling some of the conversation here might be confusing things a bit, since there was a period of time where both modes had some problems on various versions of the Helm chart and operator. The original ticket was about when not running in cluster mode, i.e when It seemed the operator itself still tried to list namespaces which yielded this error, and which in theory it should not need to do or attempt to do when it was running in single namespace mode, since to do so would require the Indeed the official Helm chart will not create ... using the same value in the chart which controls "single namespace mode" on the Nevertheless, that PR doesn't seem like it'd fix this issue to me since it is touching the |
I looked into this to see if I could fix it but it is above my skill level with sigs.k8s.io/controller-runtime. jaeger-operator/pkg/controller/namespace/namespace_controller.go:52 sets up a It would be straightforward to skip watching namespaces if I couldn't figure out how use Controller.Watch() for anything less than all namespaces. I didn't chase this problem for long because I suspect there is no solution -- I suspect controller-runtime While working on this I noticed that if the Jaeger Operator has permission to list the namespaces it will reconcile ALL the namespaces, not just $WATCH_NAMESPACE. Set the operator to log at trace level, run locally with |
I suspect there is an additional problem that needs to be fixed. (This may need its own issue or perhaps it can be part of this issue.) If Jaeger Operator service account has no clusterrolebinding to LIST namespaces, I suspect it will fail to utilize |
@ediezh Work around for the message. The warning should be suppressed if the operator is started with |
I am facing the same issue .
|
hi @s9r-5, what jaeger operator version do you use? |
Guys, the same issue.
For some reason operator wants to list deployments in cluster scope but I don't use cluster scope. |
I am seeing these errors in my logs, but also maybe the deployments are getting provisioned? I am using jaeger-operator installed from the helm-chart, version 2.49.0. I am using all the defaults in values.yaml and installed into the namespace 'observability' as expected. |
Is this repo still active? This issue has been active since April 2021 and it seems it is not getting enough traction. I think it is important for the community to have this issue solved. Jaeger should not be using a cluster-wide role to access namespaces if we explicitly don't want to use this role, and this means also that Jaeger is not following the principle of least privilege. |
It is. We will be pleased to review a PR with a solution. |
Deployed the operator 1.22 following these instructions
The operator watches only the observability namespace. But I'm seeing these errors in the log:
The text was updated successfully, but these errors were encountered: