search

operator-framework / operator-controller

A new and improved management framework for extending Kubernetes with Operators
https://operator-framework.github.io/operator-controller/
Apache License 2.0
61 stars 53 forks source link

Bug: When insufficient permissions exist to watch managed resources, reconciliation halts #1109

Closed everettraven closed 1 month ago

everettraven commented 2 months ago

When you create a ClusterExtension referencing a ServiceAccount with insufficient permissions to list and watch managed resources, we loop forever while waiting for the watches to successfully become established.

In the operator-controller-manager logs you'll see a looping error similar to:

W0809 19:08:12.963229       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:argocd:argocd-installer" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
m1kola commented 1 month ago

We have this issue in our sample manifest. I see that #1119 which addressed this issue also fixes the sample so I closed #1195 as a duplicate of this issue.