search

operator-framework / operator-controller

A new and improved management framework for extending Kubernetes with Operators
https://operator-framework.github.io/operator-controller/
Apache License 2.0
70 stars 54 forks source link

ClusterExtension status/condition not getting updated #1192

Closed perdasilva closed 2 months ago

perdasilva commented 2 months ago

After applying the following manifest (which includes, namespace, clusterrole, role, etc. all the way to ce):

---
apiVersion: v1
kind: Namespace
metadata:
  name: zookeeper-operator-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: zookeeper-operator-installer
  namespace: zookeeper-operator-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: zookeeper-operator-installer-cluster-role
rules: [
  {
    "apiGroups": [
      "olm.operatorframework.io"
    ],
    "resources": [
      "clusterextensions/finalizers"
    ],
    "verbs": [
      "update"
    ],
    "resourceNames": [
      "zookeeper-operator"
    ]
  },
  {
    "apiGroups": [
      "apiextensions.k8s.io"
    ],
    "resources": [
      "customresourcedefinitions"
    ],
    "verbs": [
      "create",
      "list",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "apiextensions.k8s.io"
    ],
    "resources": [
      "customresourcedefinitions"
    ],
    "verbs": [
      "get",
      "update",
      "patch",
      "delete"
    ],
    "resourceNames": [
      "zookeeperclusters.zookeeper.streamnative.io"
    ]
  },
  {
    "apiGroups": [
      "rbac.authorization.k8s.io"
    ],
    "resources": [
      "clusterroles"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      "rbac.authorization.k8s.io"
    ],
    "resources": [
      "clusterroles"
    ],
    "verbs": [
      "get",
      "list",
      "watch",
      "update",
      "patch",
      "delete"
    ],
    "resourceNames": [
      "zookeeper-operator-metrics-reader",
      "zookeeper-operator-35zvrk4dltmhe07cy356ua505iw96ivt7id1zgsw9m0c",
      "zookeeper-operator-1bisf6yvt0wfjl1j8qzv3law61zq4addw446qp0b1594"
    ]
  },
  {
    "nonResourceURLs": [
      "/metrics"
    ],
    "verbs": [
      "get"
    ]
  },
  {
    "apiGroups": [
      "apps"
    ],
    "resources": [
      "statefulsets"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "coordination.k8s.io"
    ],
    "resources": [
      "leases"
    ],
    "verbs": [
      "create",
      "get",
      "list",
      "update"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "configmaps"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "persistentvolumeclaims"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "pods"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "services"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "networking.istio.io"
    ],
    "resources": [
      "*"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "policy"
    ],
    "resources": [
      "poddisruptionbudgets"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "security.istio.io"
    ],
    "resources": [
      "*"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "zookeeper.streamnative.io"
    ],
    "resources": [
      "zookeeperclusters"
    ],
    "verbs": [
      "create",
      "delete",
      "get",
      "list",
      "patch",
      "update",
      "watch"
    ]
  },
  {
    "apiGroups": [
      "zookeeper.streamnative.io"
    ],
    "resources": [
      "zookeeperclusters/finalizers"
    ],
    "verbs": [
      "update"
    ]
  },
  {
    "apiGroups": [
      "zookeeper.streamnative.io"
    ],
    "resources": [
      "zookeeperclusters/status"
    ],
    "verbs": [
      "get",
      "patch",
      "update"
    ]
  },
  {
    "apiGroups": [
      "authentication.k8s.io"
    ],
    "resources": [
      "tokenreviews"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      "authorization.k8s.io"
    ],
    "resources": [
      "subjectaccessreviews"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      "rbac.authorization.k8s.io"
    ],
    "resources": [
      "clusterrolebindings"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      "rbac.authorization.k8s.io"
    ],
    "resources": [
      "clusterrolebindings"
    ],
    "verbs": [
      "get",
      "list",
      "watch",
      "update",
      "patch",
      "delete"
    ],
    "resourceNames": [
      "zookeeper-operator-35zvrk4dltmhe07cy356ua505iw96ivt7id1zgsw9m0c",
      "zookeeper-operator-1bisf6yvt0wfjl1j8qzv3law61zq4addw446qp0b1594"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "configmaps"
    ],
    "verbs": [
      "get",
      "list",
      "watch",
      "create",
      "update",
      "patch",
      "delete"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "configmaps/status"
    ],
    "verbs": [
      "get",
      "update",
      "patch"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "events"
    ],
    "verbs": [
      "create",
      "patch"
    ]
  }
]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: zookeeper-operator-installer-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: zookeeper-operator-installer-cluster-role
subjects:
  - kind: ServiceAccount
    name: zookeeper-operator-installer
    namespace: zookeeper-operator-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: zookeeper-operator-installer-installer-role
  namespace: zookeeper-operator-system
rules: [
  {
    "apiGroups": [
      "apps"
    ],
    "resources": [
      "deployments"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      "apps"
    ],
    "resources": [
      "deployments"
    ],
    "verbs": [
      "get",
      "list",
      "watch",
      "update",
      "patch",
      "delete"
    ],
    "resourceNames": [
      "zookeeper-operator-controller-manager"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "serviceaccounts"
    ],
    "verbs": [
      "create"
    ]
  },
  {
    "apiGroups": [
      ""
    ],
    "resources": [
      "serviceaccounts"
    ],
    "verbs": [
      "get",
      "list",
      "watch",
      "update",
      "patch",
      "delete"
    ],
    "resourceNames": [
      "zookeeper-operator-controller-manager"
    ]
  }
]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: zookeeper-operator-installer-installer-role-binding
  namespace: zookeeper-operator-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: zookeeper-operator-installer-installer-role
subjects:
  - kind: ServiceAccount
    name: zookeeper-operator-installer
    namespace: zookeeper-operator-system
---
apiVersion: olm.operatorframework.io/v1alpha1
kind: ClusterExtension
metadata:
  name: zookeeper-operator
spec:
  installNamespace: zookeeper-operator-system
  packageName: zookeeper-operator
  version: 0.17.9
  serviceAccount:
    name: zookeeper-operator-installer

O-C logs show RBAC failures:

W0829 17:23:26.675538       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:26.675566       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"
W0829 17:23:26.675985       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:26.676007       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:26.676018       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:26.676034       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRole: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:26.676905       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "deployments" in API group "apps" at the cluster scope
E0829 17:23:26.676921       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
W0829 17:23:27.600414       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:27.600442       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRole: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:27.815889       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:27.815915       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"
W0829 17:23:28.102639       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:28.102666       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:28.222938       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "deployments" in API group "apps" at the cluster scope
E0829 17:23:28.222964       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
W0829 17:23:29.820292       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:29.820320       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"
W0829 17:23:30.321084       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "deployments" in API group "apps" at the cluster scope
E0829 17:23:30.321112       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
W0829 17:23:30.592626       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:30.592646       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRole: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:31.129252       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:31.129282       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:34.021541       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:34.021573       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"
W0829 17:23:35.907538       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "deployments" in API group "apps" at the cluster scope
E0829 17:23:35.907566       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
W0829 17:23:36.871987       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:36.872014       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:36.871988       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:36.872032       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRole: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:42.425441       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:42.425468       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"
W0829 17:23:45.650514       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:45.650541       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:48.495831       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "deployments" in API group "apps" at the cluster scope
E0829 17:23:48.495859       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
W0829 17:23:49.042792       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0829 17:23:49.042824       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch rbac.authorization.k8s.io/v1, Kind=ClusterRole: failed to list rbac.authorization.k8s.io/v1, Kind=ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope" logger="UnhandledError"
W0829 17:23:56.559892       1 reflector.go:561] pkg/cache/internal/informers.go:106: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0829 17:23:56.559918       1 reflector.go:158] "Unhandled Error" err="pkg/cache/internal/informers.go:106: Failed to watch /v1, Kind=ServiceAccount: failed to list /v1, Kind=ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:zookeeper-operator-system:zookeeper-operator-installer\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope" logger="UnhandledError"

But status is not updated:

apiVersion: v1
items:
- apiVersion: olm.operatorframework.io/v1alpha1
  kind: ClusterExtension
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"olm.operatorframework.io/v1alpha1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"zookeeper-operator"},"spec":{"installNamespace":"zookeeper-operator-system","packageName":"zookeeper-operator","serviceAccount":{"name":"zookeeper-operator-installer"},"version":"0.17.9"}}
    creationTimestamp: "2024-08-29T17:42:54Z"
    finalizers:
    - olm.operatorframework.io/cleanup-unpack-cache
    generation: 2
    name: zookeeper-operator
    resourceVersion: "1450"
    uid: f1b041a0-7483-4925-bc1b-e4e2d42a9162
  spec:
    catalogSelector: {}
    installNamespace: zookeeper-operator-system
    packageName: zookeeper-operator
    serviceAccount:
      name: zookeeper-operator-installer
    upgradeConstraintPolicy: Enforce
    version: 0.17.9
kind: List
metadata:
  resourceVersion: ""
everettraven commented 2 months ago

This should be resolved by #1119