v1.14.7 `kafka-controller-post-install` job errors due to incorrect RBAC rules

Question

v1.14.7 `kafka-controller-post-install` job errors due to incorrect RBAC rules

mdwhitley opened this issue 5 months ago · 4 comments

Describe the bug
When deploying the post-install yaml, the kafka-controller-post-install job errors with

failed to list deployments: deployments.apps is forbidden: User \"system:serviceaccount:knative-eventing:knative-kafka-controller-post-install\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope

This prevents the cleanup of old kafka-broker-dispatcher deployments.

The root cause is a missing verb in the ClusterRole rules.

v1.14.7 post-install which doesn't work:

  - apiGroups:
      - "apps"
    resources:
      - "deployments"
    verbs:
      - "delete"
      - "list"

get added to verbs which allows the job to run:

  - apiGroups:
      - "apps"
    resources:
      - "deployments"
    verbs:
      - "get"
      - "delete"
      - "list"

After the fix, the job runs as expected

kafka-controller-post-install-flxck           0/1     Completed                0          19s

Expected behavior
The job should run with defaults provided in the release artifact.

To Reproduce
Use the v1.14.7 post-install job yaml and run on a fresh k8 cluster.

Knative release version
v1.14.7

Additional context

Cali0707 commented 5 months ago

/close

Answer 1 · 2024-07-29T14:13:07.000Z

cc @Cali0707

Answer 2 · 2024-08-12T14:13:39.000Z

Closing as #4016 is merged (not sure why that didn't autoclose this one), thanks for finding this @mdwhitley

Answer 3 · 2024-08-12T14:13:48.000Z

@Cali0707: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.