Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12915

Missing rights for the Operator on ClusterScope

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • None
    • 9.0.0
    • Container - Operator
    • None

    Description

      Hi guys,

      as requested I've created that Ticket for you guys So thats my old description of the merge request:

      We tried to test the Keycloak-operator on cluster level. Therefore as documented within the code we changed the WATCH_NAMESPACE variable to be empty.

              env:
              - name: WATCH_NAMESPACE
              - name: POD_NAME
                valueFrom:
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.name
      

      which resulted into the following errors.

      E0131 14:02:51.608725       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.PodMonitor: podmonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "podmonitors" in API group "monitoring.coreos.com" at the cluster scope
      E0131 14:02:51.609971       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.KeycloakUser: keycloakusers.keycloak.org is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "keycloakusers" in API group "keycloak.org" at the cluster scope
      E0131 14:02:52.586968       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.KeycloakClient: keycloakclients.keycloak.org is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "keycloakclients" in API group "keycloak.org" at the cluster scope
      

      Extending the ClusterRole as needed fixed that. Further after playing with the Operator I've found also out that we need also rights for podmonitors.

      Attachments

        Activity

          People

            slaskawi@redhat.com Sebastian Ɓaskawiec
            roberth1988 Robert Hoppe (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: