Open rupertgti opened 3 weeks ago
Maybe the problem will be fixed if namespace name is not hardcoded and if you add: {{ .Release.Namespace }}
here:
https://github.com/kedacore/charts/blob/v2.14.2/keda/templates/metrics-server/clusterrolebinding.yaml#L34 and https://github.com/kedacore/charts/blob/v2.14.2/keda/templates/metrics-server/clusterrolebinding.yaml#L62
Same issue for us. We used a diferent namespace to kube-system.
Same issue here. We used a different namespace, and this error was shown.
For what it's worth, while we're having a separate problem, probably because we're using EKS 1.30, deploying chart version 2.14.2 in the keda
namespace works fine. We used the terraform helm provider's helm_release
to deploy it and it gets past this stage for sure. I won't hijack this thread with our issue, just thought I'd help :)
Hi @tgmatt, thank you for your comment, did you use some special values for this? could you paste it?
Hi @tgmatt, thank you for your comment, did you use some special values for this? could you paste it?
Of course, this is what we did:
resource "helm_release" "keda" {
name = "keda"
chart = "keda"
repository = "https://kedacore.github.io/charts"
namespace = "keda"
version = "2.14.2"
create_namespace = true
values = [
"${file("${path.module}/cluster_trigger_authentication.yml")}"
]
set {
name = "podIdentity.aws.irsa.enabled"
value = "true"
}
set {
name = "podIdentity.aws.irsa.roleArn"
value = module.keda-irsa.iam_role_arn
}
}
The included values file just includes a definition for the ClusterTriggerAuthentication as it doesn't appear to get created automatically for some reason. I can share that if you want the keda operator to monitor queues instead of workload roles.
In our case we don't need in AWS a role specific because don't need an authentication between namespaces, but it's curious that works in your case with terraform and a helm apply classic deployment in our case fail in version up from 2.12. Maybe terraform manage the values for the clusterrole installed by a different way, I don't know :(
Report
We install the Keda helm chart in another namespace (called keda) and in the last versions of helm chart we receive this errors in the pod
keda-operator-metrics-apiserver
1 requestheader_controller.go:193] Unable to get configmap/extension-apiserver-authentication in kube-system. Usually fixed by 'kubectl create rolebinding -n kube-system ROLEBINDING_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA'
1 main.go:254] "msg"="unable to run external metrics adapter" "error"="unable to load configmap based request-header-client-ca-file: configmaps \"extension-apiserver-authentication\" is forbidden: User \"system:serviceaccount:keda:keda-metrics-server\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"kube-system\"" "logger"="keda_metrics_adapter"
Steps to Reproduce the Problem:
Use helm chart version of keda >2.12 in another namespace
KEDA Version 2.13.0 or 2.14.0
Kubernetes Version 1.30
Platform Amazon Web Services
Expected Behavior
Pods up ;)
Actual Behavior
Pod
keda-operator-metrics-apiserver
enter in back-off and see these logs:1 requestheader_controller.go:193] Unable to get configmap/extension-apiserver-authentication in kube-system. Usually fixed by 'kubectl create rolebinding -n kube-system ROLEBINDING_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA'
1 main.go:254] "msg"="unable to run external metrics adapter" "error"="unable to load configmap based request-header-client-ca-file: configmaps \"extension-apiserver-authentication\" is forbidden: User \"system:serviceaccount:keda:keda-metrics-server\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"kube-system\"" "logger"="keda_metrics_adapter"
Steps to Reproduce the Problem
1.Use helm chart version of keda >2.12 in another namespace in a k8s cluster
Logs from KEDA operator
KEDA Version
2.13.0
Kubernetes Version
1.29
Platform
Amazon Web Services
Scaler Details
No response
Anything else?
No response