cluster-manager-xxx-webhook-sa cannot list resources for missing permission

[captainroy-hy]

In a hub cluster, cluster-manager-work-webhook outputs below error log

reflector.go:138]] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-work-webhook-sa" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

and cluster-manager-registration-webhook outputs similar error

reflector.go:138] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-registration-webhook-sa" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope                                             
reflector.go:138] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-registration-webhook-sa" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope 

image: quay.io/open-cluster-management/registration:latest (SHA256: 9a9db2eb9c8a) clustermanager csv 0.4.0

[qiujian16]

it is because generic apiserver by default enable flow control in 1.21... It will show such error but will not affect the function of webhooks.

We could add permission of flow control or try to disable it in webhook.

/assign @zhiweiyin318 /assign @qiujian16

[qiujian16]

/kind bug