[Question] Sample Controller is listing from cluster scope

[sureleo]

Hello,

I am trying to play with sample controller without a cluster role. I saw a bunch of error messages like this:

E0128 22:32:08.533076       1 reflector.go:123] pkg/mod/k8s.io/client-go@v0.0.0-20190831074946-3fe2abece89e/tools/cache/reflector.go:96: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:test:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope

Is there a way to ask the sample controller only list from certain namespace? Or is it by design that most of the CRD operator need to have the permission to list CRDs in all namespaces? Thanks in advance.

Regards, Shuo

[devdattakulkarni]

All the client-go functions support passing in Namespace name in their CRUD calls. The sample-controller code is already written to parse and use namespace field from input YAMLs. So yes, you can restrict your code to make calls for objects in a particular namespace. If you pass the namespace field as "" (empty string) in a list call, then that call goes out to all namespaces.

Regarding above error, it is showing up in the reflector which is the entity in client-go that behind the scene tries to retrieve objects from API server and cache them locally. The sample-controller then works with these cached objects. Access of client-go's reflector to the API server is also controlled by same RBAC rules as any other entity that is trying to make calls to the API server. To solve above error you will have to define RBAC policies in your cluster. Generally you will deploy your controller as a Pod and define RBAC rules for that Pod's 'serviceAccount'. If you are just trying out sample controller I would recommend enabling cluster admin permissions for your kubeconfig context user. If you are using minikube then you will have these permissions already. If not, you can follow these steps. They are bit involved -- create a ServiceAccount, grant it cluster admin permissions, get that SA's token, update your kubeconfig context to use that SA, and then try running sample-controller. Using minikube might be simpler option if these steps seem complicated.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/sample-controller/issues/66#issuecomment-695214840): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.