Insufficient privileges for created service

[ganniterix]

When installing on Openshift 4.12, the service account cilium-olm does not have sufficient permissions

1.688556618102894e+09   ERROR   Reconciler error    {"controller": "ciliumconfig-controller", "object": {"name":"cilium","namespace":"cilium"}, "namespace": "cilium", "name": "cilium", "reconcileID": "44df73b5-6e0c-4d15-97ea-94b599098a3d", "error": "failed to install release: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource Ingress \"hubble-ui\" in namespace \"cilium\": ingresses.networking.k8s.io \"hubble-ui\" is forbidden: User \"system:serviceaccount:cilium:cilium-olm\" cannot get resource \"ingresses\" in API group \"networking.k8s.io\" in the namespace \"cilium\""}

To confirm this is the limitation, the following file was modified:

cluster-network-06-cilium-00005-cilium-olm-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cilium-olm
  namespace: cilium
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - "*"

Obviously this is not a valid workaround, but after this modification, it works.

[Cleymax]

The CR defined cannot be reconciled properly because of the RBAC restriction. The serviceMonitors and ingress are created with the service account cilium-olm in the cilium namespace. A namespace role cilium-olm is bind to the service account. The role is lacking the RBAC accesses to the two resources.

Here's a slightly more restrictive rules:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cilium-olm
  namespace: cilium
rules:
- verbs:
    - '*'
  apiGroups:
    - monitoring.coreos.com
  resources:
    - servicemonitors
- verbs:
    - '*'
  apiGroups:
    - networking.k8s.io
  resources:
    - ingresses