[Bug]: failed to list v1.IngressClass is forbidden
tcpecheanu opened this issue · 1 comments
tcpecheanu commented
What happened?
When trying to recreate a jaeger instance I'm getting the following error in the operator:
2024-04-03T05:50:34Z INFO cleaning orphaned deployments.
W0403 05:50:39.050014 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:50:39.050062 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
I already have enabled rbac and service account creation.
Steps to reproduce
- Remove the Jaeger instance
- Try to re-add it
Expected behavior
Recreate the Jeager instance without doing any manual change.
Relevant log output
2024-04-03T05:47:19Z INFO cleaning orphaned deployments.
W0403 05:47:23.410275 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:47:23.410316 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scopeScreenshot
No response
Additional context
The fix is very simple, just add the ingressclasses resource access to the jaeger-operator clusterrole under networking.k8s.io, like below
- verbs:
- create
- delete
- get
- list
- patch
- update
- watch
apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
Jaeger backend version
v1.55.0
SDK
No response
Pipeline
No response
Stogage backend
Elasticsearch v8.12.0
Operating system
Linux
Deployment model
Kubernetes v1.27.8
Deployment configs
jaeger-operator-values.yaml
image:
repository: jaegertracing/jaeger-operator
tag: 1.55.0
pullPolicy: IfNotPresent
crd:
install: true
rbac:
create: true
pspEnabled: false
clusterRole: true
serviceAccount:
create: true
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
jaeger-instance.yaml
apiVersion: jaegertracing.io/v1
kind: Jaeger
metadata:
name: jaeger
spec:
strategy: production
storage:
type: elasticsearch
options:
es:
server-urls: {{ .Values.elasticsearch.url }}
index-prefix: {{ .Values.prefix }}
secretName: jaeger-es-secret
esIndexCleaner:
enabled: true
numberOfDays: 7
schedule: "55 23 * * *"
dependencies:
enabled: false
collector:
replicas: 2
resources:
requests:
memory: 2Gi
cpu: 2
limits:
memory: 4Gi
cpu: 4
query:
replicas: 2alex1989hu commented
Related: #544 (comment)