Error ClusterRoleBinding creation

[ndox]

Might be a little clusterrolebinding missing field issue but I didn't quickly found the fix..

openshift v3.11.43 kubernetes v1.11.0+d4cacc0

[root@bastion namespace-configuration-operator]# oc apply -f deploy
clusterrole.authorization.openshift.io/namespace-configuration-operator created
deployment.apps/namespace-configuration-operator created
role.rbac.authorization.k8s.io/namespace-configuration-operator created
rolebinding.rbac.authorization.k8s.io/namespace-configuration-operator created
serviceaccount/namespace-configuration-operator created
The ClusterRoleBinding "namespace-configuration-operator" is invalid: subjects[0].namespace: Required value

[ndox]

Then I've got :

[bastion namespace-configuration-operator]# oc logs -f namespace-configuration-operator-6ffc5f4d46-4jz9r
E0514 14:53:48.912786       1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.NamespaceConfig: namespaceconfigs.redhatcop.redhat.io is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaceconfigs.redhatcop.redhat.io in the namespace "namespace-configuration-operator": no RBAC policy matched

[ndox]

It seems that adding a namespace for the SA do the job in deploy/rolebinding.yaml :

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-configuration-operator
  namespace: namespace-configuration-operator
subjects:
- kind: ServiceAccount
  name: namespace-configuration-operator
  namespace: namespace-configuration-operator
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

But I still have the error in the pod logs and labeling a new project with a tee-shirt size didn't works

[raffaelespazzoli]

@ndox you shouldn't have to modify the cluster role binding. try with the following command: oc apply -f deploy -n namespace-configuration-operator

can you also share the pod logs where you see the error?

[ndox]

@raffaelespazzoli : Maybe I'm doing something wrong.. Here what I'm doing :

I started a fresh new lab. But still have the first issue with your new command :

[root@bastion namespace-configuration-operator]# oc apply -f deploy -n namespace-configuration-operator
deployment.apps/namespace-configuration-operator created
role.rbac.authorization.k8s.io/namespace-configuration-operator created
rolebinding.rbac.authorization.k8s.io/namespace-configuration-operator created
serviceaccount/namespace-configuration-operator created
The ClusterRoleBinding "namespace-configuration-operator" is invalid: subjects[0].namespace: Required value

What I'm doing :

git clone https://github.com/redhat-cop/namespace-configuration-operator.git
oc apply -f deploy/crds/redhatcop_v1alpha1_namespaceconfig_crd.yaml
oc new-project namespace-configuration-operator
oc apply -f deploy -n namespace-configuration-operator

# change image to yours : 
oc edit deployment/namespace-configuration-operator
image: quay.io/redhat-cop/namespace-configuration-operator:latest

oc logs  namespace-configuration-operator-6ffc5f4d46-jk5rt | less
{"level":"info","ts":1557912760.229605,"logger":"cmd","msg":"Go Version: go1.11"}
{"level":"info","ts":1557912760.2301075,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":1557912760.2301164,"logger":"cmd","msg":"Version of operator-sdk: v0.7.0+git"}
{"level":"info","ts":1557912760.2303276,"logger":"leader","msg":"Trying to become the leader."}
{"level":"info","ts":1557912760.2952354,"logger":"leader","msg":"No pre-existing lock was found."}
{"level":"info","ts":1557912760.2999184,"logger":"leader","msg":"Became the leader."}
{"level":"info","ts":1557912760.33724,"logger":"cmd","msg":"Registering Components."}
{"level":"info","ts":1557912760.3379586,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557912760.3381546,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557912760.3837676,"logger":"cmd","msg":"failed to create or get service for metrics: services \"namespace-configuration-operator\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>"}
{"level":"info","ts":1557912760.3837993,"logger":"cmd","msg":"Starting the Cmd."}
E0515 09:32:40.385842       1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaces at the cluster scope: no RBAC policy matched

# If trying to modify role_binding et delete the pod, I get the same error message for the pod :
# hack the role_binding.yaml file as said previously  (adding namespace to avoid the error) : 
oc apply -f deploy/role_binding.yaml 
clusterrolebinding.rbac.authorization.k8s.io/namespace-configuration-operator created
rolebinding.rbac.authorization.k8s.io/namespace-configuration-operator unchanged

oc delete pod namespace-configuration-operator-6ffc5f4d46-jk5rt

oc logs namespace-configuration-operator-6ffc5f4d46-wjr8l | less
{"level":"info","ts":1557913277.5107226,"logger":"cmd","msg":"Go Version: go1.11"}
{"level":"info","ts":1557913277.5107718,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":1557913277.5107834,"logger":"cmd","msg":"Version of operator-sdk: v0.7.0+git"}
{"level":"info","ts":1557913277.5109851,"logger":"leader","msg":"Trying to become the leader."}
{"level":"info","ts":1557913277.573164,"logger":"leader","msg":"No pre-existing lock was found."}
{"level":"info","ts":1557913277.5762987,"logger":"leader","msg":"Became the leader."}
{"level":"info","ts":1557913277.6118069,"logger":"cmd","msg":"Registering Components."}
{"level":"info","ts":1557913277.6123421,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557913277.6129034,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557913277.657814,"logger":"cmd","msg":"failed to create or get service for metrics: services \"namespace-configuration-operator\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>"}
{"level":"info","ts":1557913277.6578422,"logger":"cmd","msg":"Starting the Cmd."}
E0515 09:41:17.659914       1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.NamespaceConfig: namespaceconfigs.redhatcop.redhat.io is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaceconfigs.redhatcop.redhat.io in the namespace "namespace-configuration-operator": no RBAC policy matched

[raffaelespazzoli]

@ndox https://github.com/redhat-cop/namespace-configuration-operator/pull/6 should fix the issue. while the PR is being merged, here is what you need:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-configuration-operator
subjects:
- kind: ServiceAccount
  name: namespace-configuration-operator
  namespace: namespace-configuration-operator
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

[ndox]

@raffaelespazzoli : I confirm it works well now. Many thanks for your help !