Getting error Failed to list *v1.Pod: pods is fo rbidden: User "system:serviceaccount:hpo-operator-system:default" cannot list resource "pods" in API group "" at the cluster scope

[Neha Sharma]

Hi All,

I am trying to deploy image like below:

# export OPERATOR_IMG="quay.io/nilesh_bhosale/hpo-operator:v0.0.5"# make deploy IMG=$OPERATOR_IMG
/usr/local/go/bin/controller-gen "crd:trivialVersions=true" rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/c
rd/bases
cd config/manager && /var/lib/snapd/snap/bin/kustomize edit set image controller=quay.io/nilesh_bhosale/hpo-operator:v0.0.5
/var/lib/snapd/snap/bin/kustomize build config/default | kubectl apply -f -
namespace/hpo-operator-system unchanged
customresourcedefinition.apiextensions.k8s.io/hpoapps.scale.ibm.com configured
role.rbac.authorization.k8s.io/hpo-operator-leader-election-role unchanged
clusterrole.rbac.authorization.k8s.io/hpo-operator-manager-role configured
clusterrole.rbac.authorization.k8s.io/hpo-operator-proxy-role unchanged

But in logs found below mentioned:

# oc logs hpo-operator-controller-manager-6cf55c85d5-djfrc manager
...
...
2021-03-25T11:11:30.952Z INFO controller Starting EventSource {"reconcilerGroup": "scale.ibm.com", "reconcilerKind": "HPOApp",
"controller": "hpoapp", "source": "kind source: /, Kind="}
E0325 11:11:30.955103 1 reflector.go:178] pkg/mod/k8s.io/clie...@v0.18.6/tools/cache/reflector.go:125: Failed to list *v1.Pod: pods is fo
rbidden: User "system:serviceaccount:hpo-operator-system:default" cannot list resource "pods" in API group "" at the cluster scope
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRo
le
clusterrole.rbac.authorization.k8s.io/hpo-operator-metrics-reader unchanged
rolebinding.rbac.authorization.k8s.io/hpo-operator-leader-election-rolebinding unchanged
clusterrolebinding.rbac.authorization.k8s.io/hpo-operator-manager-rolebinding unchanged
clusterrolebinding.rbac.authorization.k8s.io/hpo-operator-proxy-rolebinding unchanged
service/hpo-operator-controller-manager-metrics-service created
deployment.apps/hpo-operator-controller-manager created.

How to resolve this?

Any help is much appreciated.

Thanks,

Neha

[Daniel Messer]

Adding +operator-framework-sdk-dev - but looks like you are missing some RBAC for your Operator. Did you add them to the kustomize templates?

The other thing that I see here is that it uses the default service account in the target namespace. I know that's something that may cause confusion if there are other Operators in that namespace already but it should make RBAC go missing that was requested earlier. Anyway, SDK will likely tackle that so Operators use a specific SA, not default.

--
You received this message because you are subscribed to the Google Groups "Operator Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to operator-framew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/operator-framework/b15ef857-f4a9-468d-bdf4-c535e873b1c8n%40googlegroups.com.

--

Daniel Messer

Product Manager Operator Framework & Quay

Red Hat OpenShift

[Eric Stroczynski]

Agreed, this looks like an RBAC issue. Try adding this line from the Operator SDK testdata to your controller.

To view this discussion on the web visit https://groups.google.com/d/msgid/operator-framework/CAEQM%2BpPTVoCzgBeCewCCNPnPdCyNxFEHUsnX0cm2CXUzDfx%3DAQ%40mail.gmail.com.

--

Eric Stroczynski

Senior Software Engineer
Operator SDK Team
Red Hat Inc. San Francisco Office