ClusterRole missing on 1.4.1
aldato opened this issue · 3 comments
Describe the bug
We're currently deploying the new NGINX Ingress Operator version, 1.4.1
, and are experiencing some errors related to ClusterRole and ClusterRoleBinding. We're creating the NginxIngress instance named nginx-ingress-controller
and we're using the defaults on rbac.create
.
We've the nginx-ingress-controller-controller
pod from the nginx-ingress
namespace in a CrashLoopBackOff
status with the following error on the logs:
F0519 09:42:29.268648 1 main.go:249] Error when getting IngressClass nginx: ingressclasses.networking.k8s.io "nginx" is forbidden: User "system:serviceaccount:nginx-ingress:nginx-ingress" cannot get resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "nginx-ingress-controller" not found
If we check the ClusterRoleBinding nginx-ingress-controller
for the SA system:serviceaccount:nginx-ingress:nginx-ingress
we find that the it's referencing a ClusterRole that doesn't exist, nginx-ingress-controller:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress-controller
meta.helm.sh/release-namespace: nginx-ingress
creationTimestamp: "2023-05-19T07:08:00Z"
labels:
app.kubernetes.io/instance: nginx-ingress-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: nginx-ingress
app.kubernetes.io/version: 3.1.1
helm.sh/chart: nginx-ingress-0.17.1
name: nginx-ingress-controller
resourceVersion: "20078"
uid: 30d03045-246b-401f-9b8c-43db1cd8cc55
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-controller
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: nginx-ingress
$ kubectl get clusterrole | grep nginx
nginx-ingress-operator-metrics-reader 2023-05-19T06:50:55Z
nginx-ingress-operator-nginx-ingress-admin 2023-05-19T06:50:55Z
nginx-ingress-operator.v1.4.1-6c6cf598bc 2023-05-19T06:50:57Z
nginx-ingress-operator.v1.4.1-nginx-ingress-operator-69455d59c7 2023-05-19T06:50:56Z
nginxingresses.charts.nginx.org-v1alpha1-admin 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-crdview 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-edit 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-view 2023-05-19T06:51:18Z
It seems that there has been some changes in this PR-102 related to RBAC templates for the ClusterRole that could be causing this behavior.
To Reproduce
Steps to reproduce the behavior:
- Deploy the latest version of the operator, 1.4.1.
- Create a NginxIngress instance.
- The nginx-ingress-controller-controller pod should be in a CrashLoopBackOff due to ClusterRole missing.
Expected behavior
The nginx-ingress-controller-controller
pod should be properly running after installing the operator. No manual RBAC change should be made.
Your environment
- Version of the NGINX Ingress Operator: 1.4.1
- Version of the Ingress Controller: 3.1.1
- Kubernetes version: 1.25.5
- Kubernetes platform: AKS
- Using NGINX or NGINX Plus: NGINX
@lucacome could you help understand if this patch will be backported to 1.4.1 version or if a new release would be created? what is the expected timeline for the new release?
@bhavikbhavsar I'm working on releasing v1.4.2
with the fix ASAP