Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keda operator cannot access cluster scoped CRDs with rolebindings when using watchNamespaces (Keda operator crashlooping) #716

Open
fouadsemaan opened this issue Dec 12, 2024 · 0 comments
Open

Keda operator cannot access cluster scoped CRDs with rolebindings when using watchNamespaces (Keda operator crashlooping) #716

fouadsemaan opened this issue Dec 12, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@fouadsemaan
Copy link

fouadsemaan commented Dec 12, 2024
edited
Loading

A new cluster scoped CRD was created with Keda 2.16.0 which requires a ClusterRolebinding which exists by default when NOT setting watchNamespaces. However, the ClusterRolebinding is replaced by an instance of a RoleBinding for each namespace enumerated in the watchNamespaces.

Expected Behavior

Keda is able to access all CRD instances including the latest cluster scoped CRD (ClusterCloudEventSource) whether using watchNamespaces or not.

Actual Behavior

Keda is not able to access ClusterCloudEventSource CRs when enabling watchNamespaces.

Steps to Reproduce the Problem

  1. Install Keda helm chart with a watch namespace helm install adpe-keda kedacore/keda --namespace keda --version 2.16.0 --set watchNamespace="myNamespace"
  2. Observe Keda operator logs for error related to accessing ClusterCloudEventSource
"Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal
/informers.go:106: Failed to watch *v1alpha1.ClusterCloudEventSource: failed to list *v1alpha1.ClusterCloudEventSource:
clustercloudeventsources.eventing.keda.sh is forbidden: User \"system:serviceaccount:keda:keda-operator\" cannot list re
source \"clustercloudeventsources\" in API group \"eventing.keda.sh\" at the cluster scope" logger="UnhandledError"
  1. Keda operator crashloops
  2. Error goes away when adding a separate clusterrole/binding to access ClusterCloudEventSource CRs:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: keda-operator-fouad
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: keda-operator-fouad
subjects:
- kind: ServiceAccount
  name: keda-operator
  namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda-operator-fouad
rules:
- apiGroups:
  - eventing.keda.sh
  resources:
  - clustercloudeventsources
  - clustercloudeventsources/status
  verbs:
  - get
  - list
  - patch
  - update
  - watch

This is unrelated to the more secure RBAC change and has more to do with not using the ClusterRoleBinding when enabling watchNamespaces

Specifications

  • **KEDA Version: 2.16.0
  • Platform & Version: Please elaborate
  • Kubernetes Version: > 1.27
  • Scaler(s): Please elaborate
@fouadsemaan fouadsemaan added the bug Something isn't working label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fouadsemaan