search

jaegertracing / helm-charts

Helm Charts for Jaeger backend
Apache License 2.0
254 stars 338 forks source link

[Bug]: failed to list v1.IngressClass is forbidden #549

Open tcpecheanu opened 3 months ago

tcpecheanu commented 3 months ago

What happened?

When trying to recreate a jaeger instance I'm getting the following error in the operator:

2024-04-03T05:50:34Z    INFO    cleaning orphaned deployments.
W0403 05:50:39.050014       1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:50:39.050062       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope

I already have enabled rbac and service account creation.

Steps to reproduce

  1. Remove the Jaeger instance
  2. Try to re-add it

Expected behavior

Recreate the Jeager instance without doing any manual change.

Relevant log output

2024-04-03T05:47:19Z    INFO    cleaning orphaned deployments.
W0403 05:47:23.410275       1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:47:23.410316       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope

Screenshot

No response

Additional context

The fix is very simple, just add the ingressclasses resource access to the jaeger-operator clusterrole under networking.k8s.io, like below

  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses

Jaeger backend version

v1.55.0

SDK

No response

Pipeline

No response

Stogage backend

Elasticsearch v8.12.0

Operating system

Linux

Deployment model

Kubernetes v1.27.8

Deployment configs

jaeger-operator-values.yaml
  image:
    repository: jaegertracing/jaeger-operator
    tag: 1.55.0
    pullPolicy: IfNotPresent
  crd:
    install: true
  rbac:
    create: true
    pspEnabled: false
    clusterRole: true
  serviceAccount:
    create: true
  resources:
    limits:
     cpu: 200m
     memory: 256Mi
    requests:
     cpu: 100m
     memory: 128Mi

jaeger-instance.yaml
  apiVersion: jaegertracing.io/v1
  kind: Jaeger
  metadata:
    name: jaeger
  spec:
    strategy: production
    storage:
      type: elasticsearch
      options:
        es:
          server-urls: {{ .Values.elasticsearch.url }}
          index-prefix: {{ .Values.prefix }}
      secretName: jaeger-es-secret
      esIndexCleaner:
        enabled: true
        numberOfDays: 7
        schedule: "55 23 * * *"
      dependencies:
        enabled: false
    collector:
      replicas: 2
      resources:
        requests:
          memory: 2Gi
          cpu: 2
        limits:
          memory: 4Gi
          cpu: 4
    query:
      replicas: 2
alex1989hu commented 2 months ago

Related: https://github.com/jaegertracing/helm-charts/pull/544#issuecomment-2044661804