Sample ArgoCD: List requests fail due resourceName in the RBAC rule #1195
Description
I'm seeing the following logs from operator-controller-controller-manager after applying config/samples/olm_v1alpha1_clusterextension.yaml.
W0830 08:35:24.701403 1 reflector.go:561] pkg/mod/k8s.io/client-go@v0.31.0/tools/cache/reflector.go:243: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:argocd:argocd-installer" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
E0830 08:35:24.702206 1 reflector.go:158] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.31.0/tools/cache/reflector.go:243: Failed to watch apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:argocd:argocd-installer\" cannot list resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" logger="UnhandledError"
Looking at the manifest I see the following:
operator-controller/config/samples/olm_v1alpha1_clusterextension.yaml
Lines 37 to 48 in 04ee036
Note that we allow list here, but we also restrict by resourceNames.
Here is what the documentation says:
You cannot restrict
createordeletecollectionrequests by their resource name. Forcreate, this limitation is because the name of the new object may not be known at authorization time. If you restrictlistorwatchby resourceName, clients must include ametadata.namefield selector in theirlistorwatchrequest that matches the specified resourceName in order to be authorized. For example,kubectl get configmaps --field-selector=metadata.name=my-configmap