Forbidden Error on OpenShift

[David-N-Perkins]

Checks

• [X] I've already read https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md and I'm sure my issue is not covered in the troubleshooting guide.
• [X] I'm not using a custom entrypoint in my runner image

Controller Version

0.22.0

Helm Chart Version

No response

CertManager Version

openshift-cert-manager.v1.7.1 which uses 1.10

Deployment Method

Other

cert-manager installation

I installed the RedHat cert-manager Operator.

Checks

• [X] This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
• [X] I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
• [X] My actions-runner-controller version (v0.x.y) does support the feature
• [X] I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
• [X] I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
  name: example-runnerdeploy
spec:
  replicas: 1
  template:
    spec:
      repository: xxxxxxxxx

To Reproduce

1. Install RedHat cert-manager operator
2. Install ARC. I had to add some extra flags to get around byte limits.

oc apply --server-side=true --force-conflicts -f https://github.com/actions/actions-runner-controller/releases/download/v0.22.0/actions-runner-controller.yaml

### Describe the bug

On OpenShift, when I install ARC, their are permission issues with the created service account. These errors show up in the operator pod logs.

W0203 20:05:16.853856 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope E0203 20:05:16.853924 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope

### Describe the expected behavior

The operator to install correctly.

### Whole Controller Logs

```shell
E0203 19:39:48.571831 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
W0203 19:39:50.808215 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
E0203 19:39:50.808241 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
W0203 19:39:51.401870 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
E0203 19:39:51.401898 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
W0203 19:39:55.993727 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
E0203 19:39:55.993751 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
W0203 19:39:56.909157 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
E0203 19:39:56.909185 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
W0203 19:40:06.683935 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
E0203 19:40:06.683976 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
W0203 19:40:08.943728 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
E0203 19:40:08.943774 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
W0203 19:40:26.010012 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
E0203 19:40:26.010054 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1.StatefulSet: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
W0203 19:40:27.518891 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
E0203 19:40:27.518915 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
2023-02-03T19:41:03Z DEBUG controller-runtime.webhook.webhooks received request {"webhook": "/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment", "UID": "14c32aef-238c-4591-8d6c-f66b7a7b7c2a", "kind": "actions.summerwind.dev/v1alpha1, Kind=RunnerDeployment", "resource": {"group":"actions.summerwind.dev","version":"v1alpha1","resource":"runnerdeployments"}}
2023-02-03T19:41:03Z DEBUG controller-runtime.webhook.webhooks wrote response {"webhook": "/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment", "code": 200, "reason": "", "UID": "14c32aef-238c-4591-8d6c-f66b7a7b7c2a", "allowed": true}
W0203 19:41:04.099749 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope
E0203 19:41:04.099806 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1alpha1.RunnerReplicaSet: failed to list *v1alpha1.RunnerReplicaSet: runnerreplicasets.actions.summerwind.dev is forbidden: User "system:serviceaccount:actions-runner-system:default" cannot list resource "runnerreplicasets" in API group "actions.summerwind.dev" at the cluster scope

Whole Runner Pod Logs

N/A

Additional Context

No response

[github-actions[bot]]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[regicsolutions]

@David-N-Perkins any luck getting this to work? Came across this implementation but have not had a chance to test it out - https://github.com/ocpdude/actions-runner-controller

[David-N-Perkins]

I was unable to get it to work and eventually gave up. We currently using the public runners, but thanks for the reference.