Closed c-pius closed 1 month ago
The errors shown are specific to the namespaces:
Failed to watch *v1beta2.ModuleTemplate: failed to list *v1beta2.ModuleTemplate: moduletemplates.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "moduletemplates" in API group "operator.kyma-project.io" in the namespace "kyma-system" ││ klm-controller-manager-8c89c9759-7t729 W0725 18:54:21.745617 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system" ││ klm-controller-manager-8c89c9759-7t729 E0725 18:54:21.745979 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1beta2.Kyma: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system" │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:27.603816 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system" │
│ klm-controller-manager-8c89c9759-7t729 E0725 18:54:27.604167 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system" │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:37.570212 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "istio-system"
Description
As of now we have three bindings to
klm-manager-role
ClusterRole forkcp-system
,kyma-system
andistio-system
namespaces: https://github.com/kyma-project/lifecycle-manager/blob/main/config/rbac/namespace_bindings/role_binding.yamlWhile testing the helm setup, we tried to remove the ones for
kyma-system
andistio-system
, but this leads to errors like:Those errors are surprising because KLM should be working in
kcp-system
namespace on KCP, andkyma-system
namespace only on SKR which is accessed through the related kubeconfig file.We need to find out why those bindings are needed and if it can be reduced to not need those anymore.
Reasons
Keeping RBAC as restricted and clean as possible
Acceptance Criteria
Feature Testing
No response
Testing approach
No response
Attachments
No response