rbac issues whem porting to SKD 1.x

25 views
Skip to first unread message

Jean-Frederic Clere

unread,
Oct 13, 2021, 4:36:03 AM10/13/21
to Operator Framework

Hi,

I have:
// +kubebuilder:rbac:groups="apps",resources=deployments,verbs=create;get;list;delete;watch;update;patch
The config/rbac/role.yaml looks OK and I have applied it.
But my operator (ported from an old SDK version) gives the following:
+++
2021-10-13T07:38:51.016Z    ERROR    controller-runtime.manager.controller.webserver    Reconciler error    {"reconciler group": "webservers.web.servers.org", "reconciler kind": "WebServer", "name": "tomcatdemo", "namespace": "default", "error": "deployments.apps \"tomcat-demo\" is forbidden: User \"system:serviceaccount:jws-operator-system:jws-operator-controller-manager\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\""}
+++

I have noted that old rbac file is creating a role and the new a ClusterRole, I guess I missed something.

Any hints?

Cheers

Jean-Frederic

Jean-Frederic Clere

unread,
Oct 13, 2021, 5:11:23 AM10/13/21
to Operator Framework
hints redoing:
fixes the problems.

Sorry for the noises.

Camila Macedo

unread,
Oct 13, 2021, 5:32:58 AM10/13/21
to Jean-Frederic Clere, Operator Framework
Hi Jean-Frederic, 

Following some comments inline whcih I hope helps you out. Also, could you please provide some additional info to see if we can help you out?

I have:
// +kubebuilder:rbac:groups="apps",resources=deployments,verbs=create;get;list;delete;watch;update;patch
The config/rbac/role.yaml looks OK and I have applied it.

Note that to update config/rbac/role.yaml after changing the markers, run make manifests.


2021-10-13T07:38:51.016Z    ERROR    controller-runtime.manager.controller.webserver    Reconciler error    {"reconciler group": "webservers.web.servers.org", "reconciler kind": "WebServer", "name": "tomcatdemo", "namespace": "default", "error": "deployments.apps \"tomcat-demo\" is forbidden: User \"system:serviceaccount:jws-operator-system:jws-operator-controller-manager\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\""}

How are you deploying the project?

Because if you follow up the steps provided you would use e.g.:

make manifests docker-build docker-push IMG=example.com/memcached-operator:v0.0.1
make deploy IMG=example.com/memcached-operator:v0.0.1

Then, your project would be deployed in a namespace created for your Operator where the default configuration scaffold for you should work. 
 If I am not wrong that would be `<your project name>-system` and not default as we can check in the logs provided.  

Also, see that you have the namespace option for the markers as well:
namespacestringspecifies the scope of the Rule. If not set, the Rule belongs to the generated ClusterRole. If set, the Rule belongs to a Role, whose namespace is specified by this field

>  I have noted that old rbac file is creating a role and the new a ClusterRole, I guess I missed something.
If the above information is not enough to solve your problem, could you please try to provide:
  • What was the previous version used and what is the current SDK version that you are using to migrate your project? 
  • Have you been following up on the tutorial shared above? 
  • What are the steps performed to reproduce your scenario? Are you able to share a link for your code?
  • WDYT about raise an issue in the SDK repo providing all info? 
Cheers, 

CAMILA MACEDO

SR. SOFTWARE ENGINEER 

RED HAT Operator framework

Red Hat UK

She / Her / Hers

IM: cmacedo





--
You received this message because you are subscribed to the Google Groups "Operator Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to operator-framew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/operator-framework/06362d6a-476d-4ca3-a3fc-693154d00227n%40googlegroups.com.

Jean-frederic Clere

unread,
Oct 13, 2021, 5:59:18 AM10/13/21
to Camila Macedo, Operator Framework
On 13/10/2021 11:32, Camila Macedo wrote:
Hi Jean-Frederic, 

Following some comments inline whcih I hope helps you out. Also, could you please provide some additional info to see if we can help you out?

I have:
// +kubebuilder:rbac:groups="apps",resources=deployments,verbs=create;get;list;delete;watch;update;patch
The config/rbac/role.yaml looks OK and I have applied it.

Note that to update config/rbac/role.yaml after changing the markers, run make manifests.


2021-10-13T07:38:51.016Z    ERROR    controller-runtime.manager.controller.webserver    Reconciler error    {"reconciler group": "webservers.web.servers.org", "reconciler kind": "WebServer", "name": "tomcatdemo", "namespace": "default", "error": "deployments.apps \"tomcat-demo\" is forbidden: User \"system:serviceaccount:jws-operator-system:jws-operator-controller-manager\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"default\""}

How are you deploying the project?

Because if you follow up the steps provided you would use e.g.:

make manifests docker-build docker-push IMG=example.com/memcached-operator:v0.0.1
make deploy IMG=example.com/memcached-operator:v0.0.1

Then, your project would be deployed in a namespace created for your Operator where the default configuration scaffold for you should work. 
 If I am not wrong that would be `<your project name>-system` and not default as we can check in the logs provided.  

Also, see that you have the namespace option for the markers as well:
namespacestringspecifies the scope of the Rule. If not set, the Rule belongs to the generated ClusterRole. If set, the Rule belongs to a Role, whose namespace is specified by this field

>  I have noted that old rbac file is creating a role and the new a ClusterRole, I guess I missed something.
If the above information is not enough to solve your problem,

Yes that was enough, the basic features of the operator are working, thanks.

I have 2 remaining questions:

1 - the operator is doing:
err := r.Client.Get(context.TODO(), types.NamespacedName{Name: resourceName, Namespace: resourceNamespace}, resource)

to check if a resource is existing, should I use the ctx I have in the func (r *WebServerReconciler) Reconcile(ctx context.Context instead?

2 - the SetupWithManager() does have a Owns() but the old code has a bunch of Watch(1) I am not sure how to handle that.

See (1) https://github.com/web-servers/jws-operator/blob/1.1.x/pkg/controller/webserver/webserver_controller.go#L77

--
Cheers Jean-Frederic

Camila Macedo

unread,
Oct 13, 2021, 6:17:26 AM10/13/21
to Jean-frederic Clere, Operator Framework
Hi Jean-frederic, 

That is great news. I am happy that the info provided help you move forward. See:

You can check an example to get the resources in the sample. You have the context in the reconciliation. See: 
https://github.com/operator-framework/operator-sdk/blob/master/testdata/go/v3/memcached-operator/controllers/memcached_controller.go#L79-L81. Also, please feel free to check: https://pkg.go.dev/context

I believe that the answer to your question about the watches is here: https://sdk.operatorframework.io/docs/building-operators/golang/migration/#controllers 

In our example, the Watch implemented for the Deployment will be replaced with Owns(&appsv1.Deployment{}). Setting up controller Watches is simplified in more recent versions of controller-runtime, which has controller Builder helpers to handle more of the details.


I hope that helps.

Cheers, 

CAMILA MACEDO

SR. SOFTWARE ENGINEER 

RED HAT Operator framework

Red Hat UK

She / Her / Hers

IM: cmacedo




Reply all
Reply to author
Forward
0 new messages