Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricted (minimal) RBAC permission cannot watch and list secrets in Keda namespace in Keda-operator #641

Closed
mrkiani98 opened this issue May 21, 2024 · 1 comment · Fixed by #643
Closed

Restricted (minimal) RBAC permission cannot watch and list secrets in Keda namespace in Keda-operator #641

mrkiani98 opened this issue May 21, 2024 · 1 comment · Fixed by #643
Labels
bug Something isn't working

Comments

@mrkiani98
Copy link

mrkiani98 commented May 21, 2024
edited
Loading

Hi there,

We are currently using the Keda chart v2.13.2 and everything works perfectly. After we upgraded to v2.14.2 we are getting the following error in the component Keda-operator:

E0521 18:16:46.425051       1 reflector.go:147] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0521 18:16:50.015001       1 reflector.go:535] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"

Expected Behavior

The Keda-operator would be up and running.

Actual Behavior

The Keda-operator is crashing.

Steps to Reproduce the Problem

  1. Using v2.14.2 of the helm chart
  2. Put the following in the values:
permissions:
  metricServer:
    restrict:
      secret: true
  operator:
    restrict:
      secret: true

Specifications

  • KEDA Version: v2.14 (Keda helm chart v2.14.2)
  • Platform & Version: EKS v1.29
  • Kubernetes Version: v1.29
@mrkiani98 mrkiani98 added the bug Something isn't working label May 21, 2024
@mrkiani98 mrkiani98 changed the title restricted (minimal) RBAC permission cannot watch and list secrets in Keda namespace in Keda-operator Restricted (minimal) RBAC permission cannot watch and list secrets in Keda namespace in Keda-operator May 21, 2024
@malmor
Copy link

malmor commented May 24, 2024

We started seeing that issue aswell after upgrading to v2.14.2 (from v2.13.2).

We are using watchNamespace to restrict keda to a single application namespace that contains the ScaledObject resources. As a "workaround" we adjusted that setting to also include the keda namespace - this way the keda-operator service account gets permission to list secrets in the keda namespace.

# Before
watchNamespace: "my-application"

# Workaround
watchNamespace: "my-application,keda"

But we are not setting permissions.operator.restrict.secret - we are using the default value false:

permissions:
  metricServer:
    restrict:
      secret: false
  operator:
    restrict:
      secret: false
      namesAllowList: []

Maybe some default permissions are missing that would resolve both scenarios?

@jkremser jkremser mentioned this issue May 24, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create rolebinding for .Release.Namespace implicitly jkremser/keda-charts
2 participants
@malmor @mrkiani98