search

TykTechnologies / tyk-operator

Tyk Operator for Kubernetes
https://tyk.io
Mozilla Public License 2.0
197 stars 38 forks source link

bug: permissions issue with events #166

Closed asoorm closed 3 years ago

asoorm commented 3 years ago

Create an api definition then delete it. Check the tyk-operator logs. Looks like we need a ClusterRole, not just a Role.

https://github.com/TykTechnologies/tyk-operator/blob/master/helm/templates/all.yaml#L1-L33

2020-11-16T20:04:30.053Z        DEBUG   controller-runtime.manager.events       Normal  {"object": {"kind":"ApiDefinition","namespace":"tykpro-control-plane","name":"httpbin","uid":"2d966b3a-8c90-4444-836b-91401db05954","apiVersion":"tyk.tyk.io/v1alpha1","resourceVersion":"11238"}, "reason": "ApiDefinition", "message": "Reconciling"}
E1116 20:04:30.060985       1 event.go:260] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"httpbin.1648154326014460", GenerateName:"", Namespace:"tykpro-control-plane", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ApiDefinition", Namespace:"tykpro-control-plane", Name:"httpbin", UID:"2d966b3a-8c90-4444-836b-91401db05954", APIVersion:"tyk.tyk.io/v1alpha1", ResourceVersion:"11238", FieldPath:""}, Reason:"ApiDefinition", Message:"Reconciling", Source:v1.EventSource{Component:"apidefinition-controller", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbfe4d44952031260, ext:91820940701, loc:(*time.Location)(0x2442120)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbfe4d4b3832fc1fc, ext:517010894401, loc:(*time.Location)(0x2442120)}}, Count:4, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events "httpbin.1648154326014460" is forbidden: User "system:serviceaccount:tyk-operator-system:tyk-operator" cannot patch resource "events" in API group "" in the namespace "tykpro-control-plane"' (will not retry!)
excieve commented 3 years ago

The linked code is a leader election role, which is not related to API definitions. Whichever role is responsible for the operator application will need cluster-level permissions for events added.

asoorm commented 3 years ago

events firing removed - we don't really use it anyway.