Canary CRD is not registered canaries.flagger.app is forbidden
joedborg opened this issue · 1 comments
joedborg commented
Describe the bug
I've deployed Flagger via Kustomize (https://github.com/fluxcd/flagger/tree/main/kustomize/istio). When I do this, locally, in a Kind cluster, it works fine. When deploying to Azure EKS (K8s version below), I get the following error:
{"level":"fatal","ts":"2024-04-04T17:21:04.481Z","caller":"flagger/main.go:400","msg":"Canary CRD is not registered canaries.flagger.app is forbidden: User \"system:serviceaccount:flagger-system:flagger\" cannot list resource \"canaries\" in API group \"flagger.app\" at the cluster scope","stacktrace":"main.verifyCRDs\n\t/workspace/cmd/flagger/main.go:400\nmain.main\n\t/workspace/cmd/flagger/main.go:186\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:271"}
The RBAC all seems in place, in the ClusterRole, as expected.
The Canary CRD seems to be happy too:
Status:
Accepted Names:
Categories:
all
Kind: Canary
List Kind: CanaryList
Plural: canaries
Singular: canary
Conditions:
Last Transition Time: 2024-04-04T16:37:39Z
Message: no conflicts found
Reason: NoConflicts
Status: True
Type: NamesAccepted
Last Transition Time: 2024-04-04T16:37:39Z
Message: the initial names have been accepted
Reason: InitialNamesAccepted
Status: True
Type: Established
Stored Versions:
v1beta1
Events: <none>
To Reproduce
Deploy that directory via Kustomize, onto EKS.
Expected behavior
Flagger doesn't crash.
Additional context
- Flagger version: v1.37.0
- Kubernetes version: v1.27.9
- Service Mesh provider: Istio v1.17.1
- Ingress provider: Istio v1.17.1
joedborg commented
Ah, found the issue here. In the istio patch.yaml, the namespace was wrong:
subjects:
- kind: ServiceAccount
name: flagger
namespace: istio-system