Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: failed to list v1.IngressClass is forbidden #549

Open
tcpecheanu opened this issue Apr 3, 2024 · 1 comment · May be fixed by bouchardmathieu-qc/jaegertracing-helm-charts#1
Open

[Bug]: failed to list v1.IngressClass is forbidden #549

tcpecheanu opened this issue Apr 3, 2024 · 1 comment · May be fixed by bouchardmathieu-qc/jaegertracing-helm-charts#1
Labels
bug Something isn't working

Comments

@tcpecheanu
Copy link

tcpecheanu commented Apr 3, 2024
edited
Loading

What happened?

When trying to recreate a jaeger instance I'm getting the following error in the operator:

2024-04-03T05:50:34Z	INFO	cleaning orphaned deployments.
W0403 05:50:39.050014       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:50:39.050062       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope

I already have enabled rbac and service account creation.

Steps to reproduce

  1. Remove the Jaeger instance
  2. Try to re-add it

Expected behavior

Recreate the Jeager instance without doing any manual change.

Relevant log output

2024-04-03T05:47:19Z	INFO	cleaning orphaned deployments.
W0403 05:47:23.410275       1 reflector.go:539] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0403 05:47:23.410316       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:operators:jaeger-operator" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope

Screenshot

No response

Additional context

The fix is very simple, just add the ingressclasses resource access to the jaeger-operator clusterrole under networking.k8s.io, like below

  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses

Jaeger backend version

v1.55.0

SDK

No response

Pipeline

No response

Stogage backend

Elasticsearch v8.12.0

Operating system

Linux

Deployment model

Kubernetes v1.27.8

Deployment configs

jaeger-operator-values.yaml
  image:
    repository: jaegertracing/jaeger-operator
    tag: 1.55.0
    pullPolicy: IfNotPresent
  crd:
    install: true
  rbac:
    create: true
    pspEnabled: false
    clusterRole: true
  serviceAccount:
    create: true
  resources:
    limits:
     cpu: 200m
     memory: 256Mi
    requests:
     cpu: 100m
     memory: 128Mi

jaeger-instance.yaml
  apiVersion: jaegertracing.io/v1
  kind: Jaeger
  metadata:
    name: jaeger
  spec:
    strategy: production
    storage:
      type: elasticsearch
      options:
        es:
          server-urls: {{ .Values.elasticsearch.url }}
          index-prefix: {{ .Values.prefix }}
      secretName: jaeger-es-secret
      esIndexCleaner:
        enabled: true
        numberOfDays: 7
        schedule: "55 23 * * *"
      dependencies:
        enabled: false
    collector:
      replicas: 2
      resources:
        requests:
          memory: 2Gi
          cpu: 2
        limits:
          memory: 4Gi
          cpu: 4
    query:
      replicas: 2
@tcpecheanu tcpecheanu added the bug Something isn't working label Apr 3, 2024
@alex1989hu
Copy link
Contributor

Related: #544 (comment)

@alex1989hu alex1989hu mentioned this issue Apr 22, 2024
Closed
5 tasks
bouchardmathieu-qc added a commit to bouchardmathieu-qc/jaegertracing-helm-charts that referenced this issue May 31, 2024
@bouchardmathieu-qc
Update role.yaml to allow queries on ingressclasses
75bc3df 
The updated jaeger-operator is querying the cluster to know informations about ingressclasses. But the role created by the jaeger-operator helm chart doesn't allow get or list on ingressclasses.

This change addresses that. Fixes jaegertracing#549

Signed-off-by: Mathieu Bouchard <[email protected]>
@bouchardmathieu-qc bouchardmathieu-qc linked a pull request May 31, 2024 that will close this issue
Open
@viccuad viccuad mentioned this issue Jul 29, 2024
Closed
viccuad added a commit to viccuad/kubewarden-end-to-end-tests that referenced this issue Jul 29, 2024
@viccuad
fix: Apply workaround for jaeger rbac permissions
8acbbea 
Apply workaround for the jaeger ClusterRole, that seems to be missing
permissions to list ingressclasses. This makes the jaeger operator not
reconcile the expected ingress service. See
jaegertracing/helm-charts#549

Signed-off-by: Víctor Cuadrado Juan <[email protected]>
@viccuad viccuad mentioned this issue Jul 29, 2024
Merged
viccuad added a commit to viccuad/kubewarden-end-to-end-tests that referenced this issue Jul 29, 2024
@viccuad
fix: Apply workaround for jaeger rbac permissions
f5dcf72 
Apply workaround for the jaeger ClusterRole, that seems to be missing
permissions to list ingressclasses. This makes the jaeger operator not
reconcile the expected ingress service. See
jaegertracing/helm-charts#549

Signed-off-by: Víctor Cuadrado Juan <[email protected]>
@viccuad viccuad mentioned this issue Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update role.yaml to allow queries on ingressclasses bouchardmathieu-qc/jaegertracing-helm-charts
2 participants
@alex1989hu @tcpecheanu