Kubernetes controller for multi-tenancy. It propagates resources between namespaces accurately and allows tenant users to create/delete sub-namespaces.
After adding a new watched resource type, we forgot to grant the controller RBAC to operator on the new resources. This made the operator workload roll over apparently with success. But after checking the logs, I see that it emits tons of errors. Example:
{"level":"error","ts":"2023-10-19T11:29:09Z","msg":"Reconciler error","controller":"namespace","controllerGroup":"","controllerKind":"Namespace","Namespace":{"name":"bsrv"},"namespace":"","name":"bsrv","reconcileID":"d8c88184-5aa8-4de9-961c-c57776f6bed0","error":"failed to reconcile a namespace: failed to propagate resource bsrv/default-limits of /v1, Kind=LimitRange with propagate=create: limitranges is forbidden: User \"system:serviceaccount:accurate:accurate-controller-manager\" cannot create resource \"limitranges\" in API group \"\" in the namespace \"bsrv\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.2/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.2/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller...
How
I think the controller should perform a check on startup, to see if it has the required RBAC to the configured watched resources, and crash/panic if it doesn't. The check could be based on the SelfSubjectAccessReview API.
What
After adding a new watched resource type, we forgot to grant the controller RBAC to operator on the new resources. This made the operator workload roll over apparently with success. But after checking the logs, I see that it emits tons of errors. Example:
How
I think the controller should perform a check on startup, to see if it has the required RBAC to the configured watched resources, and crash/panic if it doesn't. The check could be based on the SelfSubjectAccessReview API.
Checklist