# Sample OperatorGroup targeting the namespaces we want to watch apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: annotations: olm.providedAPIs: ImageManifestVuln.v1alpha1.secscan.quay.redhat.com creationTimestamp: "2023-01-20T20:08:09Z" generateName: container-security-operator- name: container-security-operator-62qq9 namespace: container-security-operator spec: targetNamespaces: - openshift-apiserver - openshift-apiserver-operator - openshift-aqua - openshift-authentication - openshift-authentication-operator - openshift-aws-vpce-operator - openshift-backplane - openshift-backplane-cee - openshift-backplane-csa - openshift-backplane-cse - openshift-backplane-csm - openshift-backplane-managed-scripts - openshift-backplane-mobb - openshift-backplane-srep - openshift-backplane-tam - openshift-build-test - openshift-cloud-controller-manager - openshift-cloud-controller-manager-operator - openshift-cloud-credential-operator - openshift-cloud-network-config-controller - openshift-cluster-csi-drivers - openshift-cluster-machine-approver - openshift-cluster-node-tuning-operator - openshift-cluster-samples-operator - openshift-cluster-storage-operator - openshift-cluster-version - openshift-codeready-workspaces - openshift-compliance - openshift-config - openshift-config-managed - openshift-config-operator - openshift-console - openshift-console-operator - openshift-console-user-settings - openshift-container-security - openshift-controller-manager - openshift-controller-manager-operator - openshift-custom-domains-operator - openshift-customer-monitoring - openshift-dns - openshift-dns-operator - openshift-etcd - openshift-etcd-operator - openshift-file-integrity - openshift-host-network - openshift-image-registry - openshift-infra - openshift-ingress - openshift-ingress-canary - openshift-ingress-operator - openshift-insights - openshift-kni-infra - openshift-kube-apiserver - openshift-kube-apiserver-operator - openshift-kube-controller-manager - openshift-kube-controller-manager-operator - openshift-kube-scheduler - openshift-kube-scheduler-operator - openshift-kube-storage-version-migrator - openshift-kube-storage-version-migrator-operator - openshift-logging - openshift-machine-api - openshift-machine-config-operator - openshift-managed-upgrade-operator - openshift-marketplace - openshift-monitoring - openshift-multus - openshift-must-gather-operator - openshift-network-diagnostics - openshift-network-operator - openshift-node - openshift-oauth-apiserver - openshift-openstack-infra - openshift-operator-lifecycle-manager - openshift-operators - openshift-operators-redhat - openshift-ovirt-infra - openshift-route-monitor-operator - openshift-scanning - openshift-sdn - openshift-security - openshift-service-ca - openshift-service-ca-operator - openshift-splunk-forwarder-operator - openshift-sre-pruning - openshift-strimzi - openshift-suricata - openshift-user-workload-monitoring - openshift-validation-webhook - openshift-vsphere-infra - container-security-operator upgradeStrategy: Default # Errors from operator logs (in commercial we see this on a few other namespaces, this test is on CRC, FYI) E0120 20:11:00.332231 1 reflector.go:138] /remote-source/app/labeller/labeller.go:171: Failed to watch *v1alpha1.ImageManifestVuln: failed to list *v1alpha1.ImageManifestVuln: imagemanifestvulns.secscan.quay.redhat.com is forbidden: User "system:serviceaccount:container-security-operator:container-security-operator" cannot list resource "imagemanifestvulns" in API group "secscan.quay.redhat.com" in the namespace "openshift-apiserver" W0120 20:11:04.847106 1 reflector.go:324] /remote-source/app/labeller/labeller.go:170: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:container-security-operator:container-security-operator" cannot list resource "pods" in API group "" in the namespace "openshift-apiserver" E0120 20:11:04.847142 1 reflector.go:138] /remote-source/app/labeller/labeller.go:170: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:container-security-operator:container-security-operator" cannot list resource "pods" in API group "" in the namespace "openshift-apiserver" W0120 20:11:05.759670 1 reflector.go:324] /remote-source/app/labeller/labeller.go:171: failed to list *v1alpha1.ImageManifestVuln: imagemanifestvulns.secscan.quay.redhat.com is forbidden: User "system:serviceaccount:container-security-operator:container-security-operator" cannot list resource "imagemanifestvulns" in API group "secscan.quay.redhat.com" in the namespace "openshift-apiserver" # No ImageManVulns $ oc get imagemanifestvulns.secscan.quay.redhat.com -A | wc -l 0 ========================================================== # Applying new OperatorGroup with spec removed, changing it to look at all namespaces -- No errors in new pod logs and ImageManVulns populate apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: annotations: olm.providedAPIs: ImageManifestVuln.v1alpha1.secscan.quay.redhat.com generateName: container-security-operator- generation: 3 name: container-security-operator-62qq9 namespace: container-security-operator spec: upgradeStrategy: Default $ oc logs container-security-operator-b7dbf57f5-b4dkt | egrep -c "Failed to watch|Failed to list" 0 $ oc get imagemanifestvulns.secscan.quay.redhat.com -A | wc -l 58 =========================================================== # After using global version, going back to targetNamespaces works $ oc logs container-security-operator-76b8878997-vzkfw | egrep -c "Failed to watch|Failed to list" 0