Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12915

Missing rights for the Operator on ClusterScope

    XMLWordPrintable

    Details

      Description

      Hi guys,

      as requested I've created that Ticket for you guys So thats my old description of the merge request:

      We tried to test the Keycloak-operator on cluster level. Therefore as documented within the code we changed the WATCH_NAMESPACE variable to be empty.

              env:
              - name: WATCH_NAMESPACE
              - name: POD_NAME
                valueFrom:
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.name
      

      which resulted into the following errors.

      E0131 14:02:51.608725       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.PodMonitor: podmonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "podmonitors" in API group "monitoring.coreos.com" at the cluster scope
      E0131 14:02:51.609971       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.KeycloakUser: keycloakusers.keycloak.org is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "keycloakusers" in API group "keycloak.org" at the cluster scope
      E0131 14:02:52.586968       1 reflector.go:125] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.KeycloakClient: keycloakclients.keycloak.org is forbidden: User "system:serviceaccount:keycloak:keycloak-operator" cannot list resource "keycloakclients" in API group "keycloak.org" at the cluster scope
      

      Extending the ClusterRole as needed fixed that. Further after playing with the Operator I've found also out that we need also rights for podmonitors.

        Attachments

          Activity

            People

            Assignee:
            slaskawi@redhat.com Sebastian Ɓaskawiec
            Reporter:
            roberth1988 Robert Hoppe (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: