Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3733

keycloak-operator 26.4.0 missing clusterrole permissions [GHI#43096]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      No response

      Describe the bug

      Getting this after updating to 26.4.0

      > 2025-09-30 17:50:07,029 WARN [io.jav.ope.pro.eve.EventProcessor] (ReconcilerExecutor-keycloakcontroller-54) Uncaught error during event processing ExecutionScope{ resource id: ResourceID

      {name='keycloak', namespace='auth'}, version: 22441437} - but ano ther reconciliation will be attempted because a superseding event has been received or another retry attempt is pending.: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1:443/apis/apiextensions.k8s.io /v1/customresourcedefinitions/servicemonitors.monitoring.coreos.com. Message: customresourcedefinitions.apiextensions.k8s.io "servicemonitors.monitoring.coreos.com" is forbidden: User "system:serviceaccount:auth:keycloak-operator" cannot get resource " customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=apiextensions.k8s.io, kind=customresourcedefinitions, name=servicemonitors.moni toring.coreos.com, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=customresourcedefinitions.apiextensions.k8s.io "servicemonitors.monitoring.coreos.com" is forbidden: User "system:serviceaccount:auth:keycloak-operator" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, statu s=Failure, additionalProperties={}).

      Editing keycloak-operator-clusterrole to add "list" and "watch" permissions to "customresourcedefinitions" fixes it
      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:   annotations:

      kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"keycloak-operator"},"name":"keycloak-operator-clusterrole"},"rules":[{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["get"]},{"apiGroups":["config.openshift.io"],"resources":["ingresses"],"verbs":["get"]}]} 
        creationTimestamp: "2025-08-18T15:33:03Z"
  labels:

      app.kubernetes.io/name: keycloak-operator 
        name: keycloak-operator-clusterrole
  resourceVersion: "22444256"
  uid: 642d0d98-5e09-405d-a897-89c2dc0cfdaa
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - config.openshift.io
  resources:
  - ingresses
  verbs:
  - get


      h3. Version

      26.4.0

      h3. Regression

      [ ] The issue is a regression

      h3. Expected behavior

      Permissions to work w/o patching

      h3. Actual behavior

      Fails with

      > 2025-09-30 17:50:07,029 WARN [io.jav.ope.pro.eve.EventProcessor] (ReconcilerExecutor-keycloakcontroller-54) Uncaught error during event processing ExecutionScope{ resource id: ResourceID{name='keycloak', namespace='auth'}

      , version: 22441437} - but ano ther reconciliation will be attempted because a superseding event has been received or another retry attempt is pending.: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1:443/apis/apiextensions.k8s.io /v1/customresourcedefinitions/servicemonitors.monitoring.coreos.com. Message: customresourcedefinitions.apiextensions.k8s.io "servicemonitors.monitoring.coreos.com" is forbidden: User "system:serviceaccount:auth:keycloak-operator" cannot get resource " customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=apiextensions.k8s.io, kind=customresourcedefinitions, name=servicemonitors.moni toring.coreos.com, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=customresourcedefinitions.apiextensions.k8s.io "servicemonitors.monitoring.coreos.com" is forbidden: User "system:serviceaccount:auth:keycloak-operator" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, statu s=Failure, additionalProperties={}).

      How to Reproduce?

      Installing per https://www.keycloak.org/operator/installation instructions, but into "auth" namespace instead of "keycloak" namespace. 

      kubectl create namespace auth
kubectl -n auth apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/26.4.0/kubernetes/kubernetes.yml
kubectl patch clusterrolebinding keycloak-operator-clusterrole-binding --type='json' -p='[{"op": "replace", "path": "/subjects/0/namespace", "value":"auth"}]'

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak SRE
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: