The KongLicense policy rule was incorrectly put into Role instead of the ClusterRole which causes KIC versions which have KongLicense controller enabled (3.1+) to issue errors:
2024-06-11 12:34:02.215 W0611 10:34:02.215528 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:02.215 E0611 10:34:02.215585 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:25.289 W0611 10:34:25.288829 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:34:25.289 E0611 10:34:25.289209 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:35:07.165 W0611 10:35:07.165101 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
2024-06-11 12:35:07.165 E0611 10:35:07.165594 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: Failed to watch *v1alpha1.KongLicense: failed to list *v1alpha1.KongLicense: konglicenses.configuration.konghq.com is forbidden: User "system:serviceaccount:my-company:my-company-kong-kong" cannot list resource "konglicenses" in API group "configuration.konghq.com" at the cluster scope
What this PR does / why we need it:
The
KongLicense
policy rule was incorrectly put intoRole
instead of theClusterRole
which causes KIC versions which haveKongLicense
controller enabled (3.1+) to issue errors:This only came out when used with
watchNamespaces
because without it theClusterRole
contains both sets of policy rules.And also given the fact that
KongLicense
is cluster scoped.Which issue this PR fixes
Fixes #1083
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
main
branch.