Operator pod fails to watch deployment when not using OLM

[PerDreams]

We've deployed this operator into Openshift 3.11 which doesn't have Operator Lifecycle Manager (OLM) and using the instructions on this page (https://github.com/IBM/ibm-licensing-operator/blob/v1.7.0/docs/Content/Install_without_OLM.md) the operator pod fails to start with the following error:

E0825 03:18:28.082831 1 reflector.go:127] pkg/mod/k8s.io/client-go@v0.19.4/tools/cache/reflector.go:156: Failed to watch 
*v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:ibm-common- 
services:ibm-licensing-operator" cannot list deployments.apps at the cluster scope: no RBAC policy matched

This is due to the operator deployment setting the WATCH_NAMESPACE environment variable to metadata.annotations['olm.targetNamespaces']. This causes the operator pod to try to start watching all namespaces but doesn't have the required cluster roles. The work around for us is to set the WATCH_NAMESPACE env variable to metadata.namespace .

[mccarthynj]

We are seeing a similar issue where the operator expects to have cluster level rights to deployments, pods, etc etc. but they have not been granted to the clusterrole created in role.yaml. My question would be, what rights need to be granted?

[pgodowski]

Please open IBM Support ticket to have the issue resolved.