Skip to content

Bug: When insufficient permissions exist to watch managed resources, reconciliation halts #1109

New issue
New issue
Closed
#1119
Closed
Bug: When insufficient permissions exist to watch managed resources, reconciliation halts#1109
#1119
Assignees
everettraven
Labels
v1.0Issues related to the initial stable release of OLMv1
Milestone
v1.0.0
@everettraven

Description

@everettraven
everettraven
opened on Aug 12, 2024

When you create a ClusterExtension referencing a ServiceAccount with insufficient permissions to list and watch managed resources, we loop forever while waiting for the watches to successfully become established.

In the operator-controller-manager logs you'll see a looping error similar to:

W0809 19:08:12.963229       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list apiextensions.k8s.io/v1, Kind=CustomResourceDefinition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:argocd:argocd-installer" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

Metadata

Metadata

Assignees

Labels

v1.0Issues related to the initial stable release of OLMv1

Type

No type

Projects

OLM v1

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions