operator-framework / operator-controller

A new and improved management framework for extending Kubernetes with Operators
https://operator-framework.github.io/operator-controller/
Apache License 2.0
67 stars 54 forks source link

[Pending verification] No status when lacking cache permissions #1298

Open thetechnick opened 1 month ago

thetechnick commented 1 month ago

If cluster-scoped list & watch permissions are missing for types contained in the bundle image, operator-controller will fail to populate .status. Intenal error also blocks deletion of ClusterExtension CR, due to non-handling of finalizer teardown.

Log example:

W0918 08:58:27.304878       1 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.0/tools/cache/reflector.go:243: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User "system:serviceaccount:nginx:nginx-install" cannot list resource "deployments" in API group "apps" at the cluster scope
E0918 08:58:27.304923       1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.31.0/tools/cache/reflector.go:243: Failed to watch apps/v1, Kind=Deployment: failed to list apps/v1, Kind=Deployment: deployments.apps is forbidden: User \"system:serviceaccount:nginx:nginx-install\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError"
thetechnick commented 1 month ago

Could be fixed with #1282

everettraven commented 1 month ago

Would you mind sharing the "version" you ran? If it was a release on GH, which one? if from main, which commit?

thetechnick commented 1 month ago

@everettraven Should have mentioned that directly in the issue description. Tested with the latest GH release v0.15.0.

everettraven commented 1 month ago

Ah, I think that was cut just before I did a pretty large refactor of our caching logic. Would you mind verifying that you are not seeing this issue if you pull the latest changes from the main branch?

thetechnick commented 1 month ago

Will do o7