-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User cannot create resource in API group #1302
Comments
Is it similar to https://github.com/syndesisio/syndesis/pull/7976/files ? Syndesis ran into this issue after an update to the operator-sdk |
I suspect this is caused by the prometheus trait. Having a quick look at the Camel K operator roles, it seems the permissions required for the trait to create the Prometheus resources are missing. @orpiske could you precise the command you use to run the integration? |
@astefanutti I have this whenever I try to run an integration with I first noticed this on a demo I am working on. In that case, the full CLI was something like:
|
@orpiske thanks. that confirms it's caused by the prometheus trait. As a work-around, you can amend the |
Awesome. I will give it a try, thanks! |
@astefanutti @orpiske is this still an issue ? |
I think it's been fixed with #1453. |
@lburgazzoli not anymore. I remember applying the work-around that @astefanutti pointed and that did the trick. |
When running an integration on our OpenShift 4.2.9 I got an error stating that the user cannot create resource "servicemonitors" in the the API group "monitoring.coreos.com".
The message is:
{"level":"error","ts":1582651063.927428,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"integration-controller","request":"camel-k-event-streaming-dev/open-aq-consumer","error":"error executing post actions: error during replace resource: could not create or replace resource open-aq-consumer: servicemonitors.monitoring.coreos.com is forbidden: User \"system:serviceaccount:camel-k-event-streaming-dev:camel-k-operator\" cannot create resource \"servicemonitors\" in API group \"monitoring.coreos.com\" in the namespace \"camel-k-event-streaming-dev\"","errorVerbose":"servicemonitors.monitoring.coreos.com is forbidden: User \"system:serviceaccount:camel-k-event-streaming-dev:camel-k-operator\" cannot create resource \"servicemonitors\" in API group \"monitoring.coreos.com\" in the namespace \"camel-k-event-streaming-dev\"\ncould not create or replace resource open-aq-consumer
The full message is available here.
Despite the message, the integration eventually runs after a long time stuck in the Deployment part.
I have tried working around this issue by increasing the permissions for the operator user with:
oc policy add-role-to-user edit system:serviceaccount:camel-k-event-streaming-dev:camel-k-operator
However that did not help either (and, in fact, made it worse) because the integration now gets completely stuck and the operator seems to enter a loop with the error below:
E0226 09:43:17.083486 1 reflector.go:123] k8s.io/client-go@v12.0.0+incompatible/tools/cache/reflector.go:96: Failed to list *v1.ServiceMonitor: servicemonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:camel-k-event-streaming-dev:camel-k-operator" cannot list resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "camel-k-event-streaming-dev": RBAC: clusterrole.rbac.authorization.k8s.io "list" not found
The output of my
oc get integrationplatform -o yaml
is available here.The text was updated successfully, but these errors were encountered: