AutoscalingRunnerSet controller multiple namespace and RBAC issues

[timansky]

Checks

• I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• I am using charts that are officially provided

Controller Version

0.12.0

Deployment Method

Other

Checks

• This isn't a question or user support case (For Q&A and community support, go to Discussions).
• I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

1. Deploy controller in namespace1
2. Deploy runner-set in namespace2

Describe the bug

1. Insufficient RBAC for Cross-Namespace Resources

The gha-rs-controller service account (running in namespace ns1) is unable to manage required resources in target namespaces (e.g., ns2). This causes repeated reconciliation errors.

Missing permissions in ClusterRole:

• roles
• rolebindings
• pods
• secrets

Required verbs:

verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

2. Listener Namespace Issue

The controller creates AutoscalingListener objects in its own namespace, ignoring any templated or inferred namespace from the AutoscalingRunnerSet.

Current behavior:
Listener always ends up in the controller’s namespace (e.g., ns1), even when the AutoscalingRunnerSet is deployed in a different namespace.

Describe the expected behavior

1. AutoscalingRunnerSet can be created in different namespace than controllers namespace.
2. Listeners should be created in the same namespace as the corresponding AutoscalingRunnerSet object.

[nikola-jokic]

Hey @timansky,

How did you install the scale set? We officially only support helm.

[nikola-jokic]

Closing this one since we officially support helm, and roles are applied correctly if you install with helm.

[timansky]

ьн ифв, misconfiguration in rbac