operator-framework/oria-operator

Oria-Operator does not have proper RBAC in it's manifests when deploying it on a cluster

everettraven opened this issue · 0 comments

everettraven commented

Description of the Issue

When attempting to run the Oria-Operator on the cluster it fails to properly reconcile when a ScopeInstance is created due to lack of RBAC in the manifests created when running make deploy.

Steps to Reproduce the Issue

  1. Create a KinD cluster
kind create cluster
  1. Add the following line to the Dockerfile:
# Copy the go source
...
COPY util/ util/ # <--  this line
  1. Build the image for the oria-operator
make docker-build IMG=bpalmer/oria-operator:test
  1. Load the image on the KinD cluster
kind load docker-image bpalmer/oria-operator:test
  1. Deploy the oria-operator on cluster
make deploy IMG=bpalmer/oria-operator:test
  1. Create a ScopeTemplate and ScopeInstance
kubectl apply -f config/samples/operators_v1_scopetemplate.yaml && \
kubectl apply -f config/samples/operators_v1_scopeinstance.yaml
  1. Check logs
kubectl -n scoped-operator-system logs <pod-name>

The logs contain:

E0912 19:40:03.544746       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: Failed to watch *v1.RoleBinding: failed to list *v1.RoleBinding: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:scope-operator-system:scope-operator-controller-manager" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0912 19:40:13.663714       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: Failed to watch *v1.ClusterRole: failed to list *v1.ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:scope-operator-system:scope-operator-controller-manager" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

Potential Solution

It seems like the Kubebuilder RBAC annotations for ClusterRoles and (Cluster)RoleBindings are missing so they aren't generated as part of the manifests.

We can add the appropriate annotations here:
https://github.com/awgreene/oria-operator/blob/9594791bb669df7572f353346ffd85ee0460bfc7/controllers/scopeinstance_controller.go#L64-L66

and here:
https://github.com/awgreene/oria-operator/blob/9594791bb669df7572f353346ffd85ee0460bfc7/controllers/scopetemplate_controller.go#L56-L58