Kubernetes Ingress Controller upgrade issue

[Anupam5972]

I am trying to update the kong-ingress-controller version in my kong deployment, during the update I am facing some error these are the logs I am getting

W0401 06:24:15.821179       1 reflector.go:535] pkg/mod/k8s.io/client-go@v0.28.2/tools/cache/reflector.go:229: failed to list *v1.CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:edison-core:eis-kong" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
E0401 06:24:15.821262       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.28.2/tools/cache/reflector.go:229: Failed to watch *v1.CustomResourceDefinition: failed to list *v1.CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:edison-core:eis-kong" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

• For Kong I am currently using 3.4.2
• For KIC I am currently on version 2.9.4 I need to update it to 2.12.3
• I deployed kong using helm charts
• Do request for any further information required for above.

[rainest]

We list CRDs to check if we need to enable some very old legacy behavior when needed. Setting ingressController.installCRDs=false disables this lookup if your install user does not have permissions to list CRDs. Not sure why you'd only see that error during an upgrade (it should also happen during initial install), but it's possible your permissions changed or you're using a different user.

Almost all installations (anything that began on chart 2.0 or later) can safely disable this check, but you can double-check if you need the legacy behavor. If a meta.helm.sh/release-name annotation is present on your CRDs (kubectl get crd kongplugins.configuration.konghq.com -oyaml | grep -c release-name will return 1 if it is and 0 if it is not) you'll instead set ingressController.installCRDs=true.