Investigate need for kyma-system and istio-system RoleBindings to klm-manager-role ClusterRole

[c-pius]

Description

As of now we have three bindings to klm-manager-role ClusterRole for kcp-system, kyma-system and istio-system namespaces: https://github.com/kyma-project/lifecycle-manager/blob/main/config/rbac/namespace_bindings/role_binding.yaml

While testing the helm setup, we tried to remove the ones for kyma-system and istio-system, but this leads to errors like:

klm-controller-manager-7d846d6545-5hqq9 manager W0605 12:53:04.754801       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta2.Watcher: watchers.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "watchers" in API group "operator.kyma-project.io" at the cluster scope
klm-controller-manager-7d846d6545-5hqq9 manager E0605 12:53:04.754828       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta2.Watcher: failed to list *v1beta2.Watcher: watchers.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "watchers" in API group "operator.kyma-project.io" at the cluster scope

Those errors are surprising because KLM should be working in kcp-system namespace on KCP, and kyma-system namespace only on SKR which is accessed through the related kubeconfig file.

We need to find out why those bindings are needed and if it can be reduced to not need those anymore.

Reasons

Keeping RBAC as restricted and clean as possible

Acceptance Criteria

• Time-boxed Research One day:
  • Check what the current behaviour of KLM is if we remove corresponding RoleBindings
  • Find the reasoning if KLM has errors
  • Propose possible solutions to the team
• Create Follow-Up issue

Feature Testing

No response

Testing approach

No response

Attachments

No response

[nesmabadr]

The errors shown are specific to the namespaces:

Failed to watch *v1beta2.ModuleTemplate: failed to list *v1beta2.ModuleTemplate: moduletemplates.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "moduletemplates" in API group "operator.kyma-project.io" in the namespace "kyma-system"                             ││ klm-controller-manager-8c89c9759-7t729 W0725 18:54:21.745617       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system"                                                                                                    ││ klm-controller-manager-8c89c9759-7t729 E0725 18:54:21.745979       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1beta2.Kyma: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system"                                                                     │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:27.603816       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system"                                                                                                                                                    │
│ klm-controller-manager-8c89c9759-7t729 E0725 18:54:27.604167       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system"                                                                                                                        │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:37.570212       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "istio-system"