Description of problem:
Log traces of controller-runtime.cache.UnhandledError in openshift/must-gather-operator
Version-Release number of selected component (if applicable):
OpenShift v4.20.0-ec.5
How reproducible:
On an OpenShift 4.20 cluster, install the must-gather-operator from https://github.com/openshift/must-gather-operator/commit/c736eb73689f4884a07774440f6127e8bc5ff8bb
Steps to Reproduce:
1. Follow all steps from HACKING.md in https://github.com/openshift/must-gather-operator/pull/246 2. Once the deployment is created, edit the image with a locally built must-gather-operator image and scale to 1 replica Please ensure to use this RBAC is applied for the operator's service account the https://github.com/openshift/must-gather-operator/blob/master/deploy/02_must-gather-operator.ClusterRole.yaml; locally running the operator does not reproduce the issue as generally local cluster users have full cluster-admin privileges on the kubeadmin.
Actual results:
2025-08-12T20:27:39Z    INFO    Starting Controller    {"controller": "mustgather", "controllerGroup": "managed.openshift.io", "controllerKind": "MustGather"}
2025-08-12T20:27:39Z    INFO    Starting workers    {"controller": "mustgather", "controllerGroup": "managed.openshift.io", "controllerKind": "MustGather", "worker count": 1}
2025-08-12T20:27:39Z    INFO    mustgather-controller    Reconciling MustGather    {"Request.Namespace": "must-gather-operator", "Request.Name": "mg"}
2025-08-12T20:27:39Z    DEBUG    k8sutil    Found namespace    {"Namespace": "must-gather-operator"}
2025-08-12T20:27:39Z    ERROR    controller-runtime.cache.UnhandledError    Failed to watch    {"reflector": "sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:114", "type": "*v1.ClusterVersion", "error": "clusterversions.config.openshift.io is forbidden: User \"system:serviceaccount:must-gather-operator:must-gather-operator\" cannot watch resource \"clusterversions\" in API group \"config.openshift.io\" at the cluster scope"}
k8s.io/apimachinery/pkg/util/runtime.logError
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:226
k8s.io/apimachinery/pkg/util/runtime.handleError
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:217
k8s.io/apimachinery/pkg/util/runtime.HandleErrorWithContext
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:203
k8s.io/client-go/tools/cache.DefaultWatchErrorHandler
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/client-go/tools/cache/reflector.go:200
k8s.io/client-go/tools/cache.(*Reflector).RunWithContext.func1
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/client-go/tools/cache/reflector.go:360
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/backoff.go:233
k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext.func1
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/backoff.go:255
k8s.io/apimachinery/pkg/util/wait.BackoffUntilWithContext
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/backoff.go:256
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/backoff.go:233
k8s.io/client-go/tools/cache.(*Reflector).RunWithContext
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/client-go/tools/cache/reflector.go:358
k8s.io/client-go/tools/cache.(*controller).RunWithContext.(*Group).StartWithContext.func3
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:63
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1
    src/github.com/openshift/must-gather-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:72
2025-08-12T20:27:39Z    INFO    mustgather-controller    MustGather Job pods are still running    {"Request.Namespace": "must-gather-operator", "Request.Name": "mg"}    
Expected results:
The UnhandledError should not be present.
Additional info:
Operator pod log attached.
- is duplicated by
- 
                    MG-65 The ClusterRole missing permissions for the clusterversions -         
- Closed
 
-