Service Account Permissions issue

[klofton-bw]

We're running into this issue running version 0.0.15
E0204 20:12:52.562925 1 leaderelection.go:325] error retrieving resource lock group-sync-operator/085c249a.redhat.io: configmaps "085c249a.redhat.io" is forbidden: User "system:serviceaccount:group-sync-operator:group-sync-operator-controller-manager" cannot get resource "configmaps" in API group "" in the namespace "group-sync-operator

I'm pretty sure it stems from https://github.com/redhat-cop/group-sync-operator/blob/main/config/rbac/leader_election_role_binding.yaml being hardcoded to look for the service account in the systems namespace.

- kind: ServiceAccount
  name: controller-manager
  namespace: system

There's no way to override this and the helm chart service account has no way to override the service account name or namespace https://github.com/redhat-cop/group-sync-operator/blob/main/config/helmchart/templates/service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: group-sync-operator-controller-manager 

[sabre1041]

@klofton-bw Are you deploying via the OLM?

[klofton-bw]

I am deploying via Helm

[ssgdevops]

Same for me here ! Deploying through helm.
Fixed by a workaround by editing the rolebinding to get rid of the systems entry and match the sa name used by the helm deployment.
And also the same logic for the clusterrolesbindings

[look1976]

Same for me here ! Deploying through helm. Fixed by a workaround by editing the rolebinding to get rid of the systems entry and match the sa name used by the helm deployment. And also the same logic for the clusterrolesbindings

same here, did the same workaround in ClusterRoleBinding "group-sync-operator-manager-rolebinding":

subjects:

• kind: ServiceAccount
  name: group-sync-operator-controller-manager
  namespace: group-sync-operator