search

OT-CONTAINER-KIT / redis-operator

A golang based redis operator that will make/oversee Redis standalone/cluster/replication/sentinel mode setup on top of the Kubernetes.
https://ot-redis-operator.netlify.app/
Apache License 2.0
829 stars 229 forks source link

OperatorHub install forbidden: User "system:serviceaccount:operators:redis-operator" #622

Open haliliceylan opened 1 year ago

haliliceylan commented 1 year ago

What version of redis operator are you using?

I0914 23:45:09.633058       1 request.go:665] Waited for 1.042501113s due to client-side throttling, not priority and fairness, request: GET:https://10.233.0.1:443/apis/rabbitmq.com/v1alpha1?timeout=32s
{"level":"info","ts":1694735110.5423458,"logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":1694735110.5429115,"logger":"setup","msg":"starting manager"}
{"level":"info","ts":1694735110.543425,"msg":"Starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"}
{"level":"info","ts":1694735110.5434537,"msg":"Starting server","kind":"health probe","addr":"[::]:8081"}
I0914 23:45:10.543527       1 leaderelection.go:248] attempting to acquire leader lease operators/6cab913b.redis.opstreelabs.in...
I0914 23:45:27.905378       1 leaderelection.go:258] successfully acquired lease operators/6cab913b.redis.opstreelabs.in
{"level":"info","ts":1694735127.905758,"logger":"controller.redisreplication","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisReplication","source":"kind source: *v1beta1.RedisReplication"}
{"level":"info","ts":1694735127.9057643,"logger":"controller.redis","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"Redis","source":"kind source: *v1beta1.Redis"}
{"level":"info","ts":1694735127.9059448,"logger":"controller.redis","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"Redis"}
{"level":"info","ts":1694735127.9059248,"logger":"controller.redisreplication","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisReplication"}
{"level":"info","ts":1694735127.905845,"logger":"controller.redissentinel","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisSentinel","source":"kind source: *v1beta1.RedisSentinel"}
{"level":"info","ts":1694735127.9060693,"logger":"controller.rediscluster","msg":"Starting EventSource","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisCluster","source":"kind source: *v1beta1.RedisCluster"}
{"level":"info","ts":1694735127.9060426,"logger":"controller.redissentinel","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisSentinel"}
{"level":"info","ts":1694735127.9061449,"logger":"controller.rediscluster","msg":"Starting Controller","reconciler group":"redis.redis.opstreelabs.in","reconciler kind":"RedisCluster"}
W0914 23:45:27.912507       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.912410       1 event.go:267] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"6cab913b.redis.opstreelabs.in.1784e89ea72c7975", GenerateName:"", Namespace:"operators", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ConfigMap", Namespace:"operators", Name:"6cab913b.redis.opstreelabs.in", UID:"c4d00c00-3ecd-4136-8eb5-bb29633bd02c", APIVersion:"v1", ResourceVersion:"37574", FieldPath:""}, Reason:"LeaderElection", Message:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6 became leader", Source:v1.EventSource{Component:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6", Host:""}, FirstTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905335669, time.Local), LastTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905335669, time.Local), Count:1, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:operators:redis-operator" cannot create resource "events" in API group "" in the namespace "operators"' (will not retry!)
E0914 23:45:27.912616       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:27.912877       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.912916       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:27.918988       1 event.go:267] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"6cab913b.redis.opstreelabs.in.1784e89ea72cc785", GenerateName:"", Namespace:"operators", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"Lease", Namespace:"operators", Name:"6cab913b.redis.opstreelabs.in", UID:"948b9e3a-f9e6-4af9-a28f-85552183b762", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"37575", FieldPath:""}, Reason:"LeaderElection", Message:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6 became leader", Source:v1.EventSource{Component:"redis-operator-6c8857856c-r4rp7_d734d517-8d2c-427e-89d4-eea0bc9702e6", Host:""}, FirstTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905355653, time.Local), LastTimestamp:time.Date(2023, time.September, 14, 23, 45, 27, 905355653, time.Local), Count:1, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:operators:redis-operator" cannot create resource "events" in API group "" in the namespace "operators"' (will not retry!)
W0914 23:45:29.171454       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:29.171492       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:29.249530       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:29.249578       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:31.361716       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:31.361785       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:31.774802       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:31.774856       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:35.994622       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:35.994676       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:38.042719       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:38.042764       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:46.816677       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:46.816721       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:45:47.329791       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:45:47.329838       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:05.994253       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:05.994294       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisSentinel: failed to list *v1beta1.RedisSentinel: redissentinels.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redissentinels" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:12.293273       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:12.293310       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
W0914 23:46:39.202613       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope
E0914 23:46:39.202683       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.RedisReplication: failed to list *v1beta1.RedisReplication: redisreplications.redis.redis.opstreelabs.in is forbidden: User "system:serviceaccount:operators:redis-operator" cannot list resource "redisreplications" in API group "redis.redis.opstreelabs.in" at the cluster scope

redis-operator version: 0.15.0

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (kubectl version)?

kubectl version Output
$ Client Version: v1.27.4
Kustomize Version: v5.0.1
Server Version: v1.27.5

What did you do? I just install from operatorhub with this yaml

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: my-redis-operator
  namespace: operators
spec:
  channel: stable
  name: redis-operator
  source: operatorhubio-catalog
  sourceNamespace: olm

What did you expect to see?

It should run.

What did you see instead?

A lot of errors

abjklk commented 1 year ago

Looks like #526 was not fixed ?

As mentioned in #526 ,

The operator failed to start because the ClusterRole assigned to the ServiceAccount was missing permissions for redissentinels and redisreplications and their respective subresources /finalizers and /status and it is trying to watch those resources. After manually adding the resources and the respective subresources manually it started up as expected.

Elyytscha commented 11 months ago

our prometheus alerted about this, operator is not usable per default via olm

haliliceylan commented 8 months ago

Is there any update regarding this ?