search

redhat-cop / group-sync-operator

Synchronizes groups from external providers into OpenShift
Apache License 2.0
116 stars 60 forks source link

v0.0.22 cannot list ConfigMaps at the cluster scope level #237

Closed GerbenWelter closed 1 year ago

GerbenWelter commented 1 year ago

We were using this operator previously. At least since v0.0.20. Got the broken v0.0.21 update, waited it out until v0.0.22. Now the operator won't start properly:

I1221 10:04:59.428064 1 request.go:601] Waited for 1.019077939s due to client-side throttling, not priority and fairness, request: GET:https://192.168.0.1:443/apis/autoscaling/v2?timeout=32s
1.6716171031868346e+09 INFO controller-runtime.metrics Metrics server is starting to listen {"addr": "127.0.0.1:8080"}
1.671617103187277e+09 INFO setup starting manager
1.671617103188326e+09 INFO Starting server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:8080"}
1.671617103188342e+09 INFO Starting server {"kind": "health probe", "addr": "[::]:8081"}
I1221 10:05:03.188407 1 leaderelection.go:248] attempting to acquire leader lease group-sync-operator/085c249a.redhat.io...
I1221 10:06:17.242354 1 leaderelection.go:258] successfully acquired lease group-sync-operator/085c249a.redhat.io
1.671617177242676e+09 INFO Starting EventSource {"controller": "groupsync", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "GroupSync", "source": "kind source: *v1alpha1.GroupSync"}
1.6716171772427225e+09 INFO Starting Controller {"controller": "groupsync", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "GroupSync"}
1.6716171772425845e+09 DEBUG events Normal {"object": {"kind":"Lease","namespace":"group-sync-operator","name":"085c249a.redhat.io","uid":"0c0eba7c-d15d-4bee-852e-c1a05a39df41","apiVersion":"coordination.k8s.io/v1","resourceVersion":"91156353"}, "reason": "LeaderElection", "message": "group-sync-operator-controller-manager-6fdd78c56-dkccz_a0997b56-cfc3-47d3-812c-1c319593e211 became leader"}
1.6716171773435636e+09 INFO Starting workers {"controller": "groupsync", "controllerGroup": "redhatcop.redhat.io", "controllerKind": "GroupSync", "worker count": 1}
W1221 10:07:45.223950 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope
E1221 10:07:45.224021 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope
W1221 10:07:46.588119 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope
E1221 10:07:46.588177 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope
W1221 10:07:48.795120 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope
E1221 10:07:48.795160 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:group-sync-operator:controller-manager" cannot list resource "configmaps" in API group "" at the cluster scope

The GroupSync config was unchanged from the working v0.0.20 version. All Secrets and ConfigMaps we reference are in the default Namespace (group-sync-operator). I also don't see why this namespaced operator suddenly needs cluster wide permissions for ConfigMaps. We see this problem on all clusters including the one we redeployed today. Reverting to v0.0.20 and disabling the automatic upgrade makes the operator work again.

Clusters are OpenShift 4.10.42 or 4.10.45

ocpvkb commented 1 year ago

we can confirm the behavior. After updating to the version v0.0.22, the same problem occurs.

sabre1041 commented 1 year ago

A change did occur to enable the operator access to resources in other namespaces. However, after some discussions, its was a bit of an overreach and there will be a revert to prior functionality in the next release (will fast track it this week)

  1. Existing functionality prior to 0.0.21 will be reenabled where WATCH_NAMESPACE will be defined to the current namespace.
  2. Users can opt into allowing the operator to watch all namespaces by configuring the Subscription resource in the OLM
  3. Documentation will be updated to account for such changes
sabre1041 commented 1 year ago

@GerbenWelter @ocpvkb Here is the PR for this fix.

https://github.com/redhat-cop/group-sync-operator/pull/238

Thanks for your patience!