Skip to content

SDK failure GETting CRDs if no permissions are provided to service account in OpenShift #354

New issue
New issue
Closed
#358
Closed
SDK failure GETting CRDs if no permissions are provided to service account in OpenShift#354
#358
Assignees
metacosm
@ppatierno

Description

@ppatierno
ppatierno
opened on Mar 3, 2021

When deploying and running an operator on OpenShift I came across the following exception.

2021-03-03 17:02:30,510 ERROR [io.qua.run.Application] (main) Failed to start application (with profile prod): io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/apiextensions.k8s.io/v1/customresourcedefinitions/my-resources.my-resource.ppatierno.io. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. customresourcedefinitions.apiextensions.k8s.io "my-resources.my-resource.ppatierno.io" is forbidden: User "system:serviceaccount:my-namespace:my-operator" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:570)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:507)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:474)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:435)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:402)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:384)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:925)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:220)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:186)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:85)
	at io.javaoperatorsdk.operator.Operator.register(Operator.java:97)
	at io.javaoperatorsdk.operator.Operator.register(Operator.java:54)
	at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
	at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
	at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
	at io.javaoperatorsdk.quarkus.extension.OperatorProducer.operator(OperatorProducer.java:24)
	at io.javaoperatorsdk.quarkus.extension.OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.create(OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.zig:334)
	at io.javaoperatorsdk.quarkus.extension.OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.create(OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.zig:349)
	at io.quarkus.arc.impl.AbstractSharedContext.createInstanceHandle(AbstractSharedContext.java:96)
	at io.quarkus.arc.impl.AbstractSharedContext.access$000(AbstractSharedContext.java:14)
	at io.quarkus.arc.impl.AbstractSharedContext$1.get(AbstractSharedContext.java:29)
	at io.quarkus.arc.impl.AbstractSharedContext$1.get(AbstractSharedContext.java:26)
	at io.quarkus.arc.impl.LazyValue.get(LazyValue.java:26)
	at io.quarkus.arc.impl.ComputingCache.computeIfAbsent(ComputingCache.java:69)
	at io.quarkus.arc.impl.AbstractSharedContext.get(AbstractSharedContext.java:26)
	at io.javaoperatorsdk.quarkus.extension.OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.get(OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.zig:381)
	at io.javaoperatorsdk.quarkus.extension.OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.get(OperatorProducer_ProducerMethod_operator_a8440c868181d0f10deca15fb7a236e1362600c2_Bean.zig:397)
	at org.bf2.operator.KasFleetShardOperator_Bean.create(KasFleetShardOperator_Bean.zig:281)
	at org.bf2.operator.KasFleetShardOperator_Bean.create(KasFleetShardOperator_Bean.zig:321)
	at io.quarkus.arc.impl.AbstractSharedContext.createInstanceHandle(AbstractSharedContext.java:96)
	at io.quarkus.arc.impl.AbstractSharedContext.access$000(AbstractSharedContext.java:14)
	at io.quarkus.arc.impl.AbstractSharedContext$1.get(AbstractSharedContext.java:29)
	at io.quarkus.arc.impl.AbstractSharedContext$1.get(AbstractSharedContext.java:26)
	at io.quarkus.arc.impl.LazyValue.get(LazyValue.java:26)
	at io.quarkus.arc.impl.ComputingCache.computeIfAbsent(ComputingCache.java:69)
	at io.quarkus.arc.impl.AbstractSharedContext.get(AbstractSharedContext.java:26)
	at io.quarkus.arc.impl.ClientProxies.getApplicationScopedDelegate(ClientProxies.java:17)
	at org.bf2.operator.KasFleetShardOperator_ClientProxy.arc$delegate(KasFleetShardOperator_ClientProxy.zig:67)
	at org.bf2.operator.KasFleetShardOperator_ClientProxy.run(KasFleetShardOperator_ClientProxy.zig:126)
	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:119)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:66)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:42)
	at org.bf2.operator.Main.main(Main.java:10)

In order to solve this I needed to add permission to the service account to get/list/watch CRDs.
Why is that needed by the sdk? I would say that an operator should not have this kind of permission in his Role/ClusterRole.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions