ClusterRole missing on 1.4.1
aldato opened this issue · 3 comments
Describe the bug
We're currently deploying the new NGINX Ingress Operator version, 1.4.1, and are experiencing some errors related to ClusterRole and ClusterRoleBinding. We're creating the NginxIngress instance named nginx-ingress-controller and we're using the defaults on rbac.create.
We've the nginx-ingress-controller-controller pod from the nginx-ingress namespace in a CrashLoopBackOff status with the following error on the logs:
F0519 09:42:29.268648 1 main.go:249] Error when getting IngressClass nginx: ingressclasses.networking.k8s.io "nginx" is forbidden: User "system:serviceaccount:nginx-ingress:nginx-ingress" cannot get resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "nginx-ingress-controller" not found
If we check the ClusterRoleBinding nginx-ingress-controller for the SA system:serviceaccount:nginx-ingress:nginx-ingress we find that the it's referencing a ClusterRole that doesn't exist, nginx-ingress-controller:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress-controller
meta.helm.sh/release-namespace: nginx-ingress
creationTimestamp: "2023-05-19T07:08:00Z"
labels:
app.kubernetes.io/instance: nginx-ingress-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: nginx-ingress
app.kubernetes.io/version: 3.1.1
helm.sh/chart: nginx-ingress-0.17.1
name: nginx-ingress-controller
resourceVersion: "20078"
uid: 30d03045-246b-401f-9b8c-43db1cd8cc55
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-controller
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: nginx-ingress
$ kubectl get clusterrole | grep nginx
nginx-ingress-operator-metrics-reader 2023-05-19T06:50:55Z
nginx-ingress-operator-nginx-ingress-admin 2023-05-19T06:50:55Z
nginx-ingress-operator.v1.4.1-6c6cf598bc 2023-05-19T06:50:57Z
nginx-ingress-operator.v1.4.1-nginx-ingress-operator-69455d59c7 2023-05-19T06:50:56Z
nginxingresses.charts.nginx.org-v1alpha1-admin 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-crdview 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-edit 2023-05-19T06:51:18Z
nginxingresses.charts.nginx.org-v1alpha1-view 2023-05-19T06:51:18Z
It seems that there has been some changes in this PR-102 related to RBAC templates for the ClusterRole that could be causing this behavior.
To Reproduce
Steps to reproduce the behavior:
- Deploy the latest version of the operator, 1.4.1.
- Create a NginxIngress instance.
- The nginx-ingress-controller-controller pod should be in a CrashLoopBackOff due to ClusterRole missing.
Expected behavior
The nginx-ingress-controller-controller pod should be properly running after installing the operator. No manual RBAC change should be made.
Your environment
- Version of the NGINX Ingress Operator: 1.4.1
- Version of the Ingress Controller: 3.1.1
- Kubernetes version: 1.25.5
- Kubernetes platform: AKS
- Using NGINX or NGINX Plus: NGINX
@lucacome could you help understand if this patch will be backported to 1.4.1 version or if a new release would be created? what is the expected timeline for the new release?
@bhavikbhavsar I'm working on releasing v1.4.2 with the fix ASAP