Report
When using the watchNamespace feature with keda 2.16.1, the operator pod gives an error:
User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" cluster wide
Expected Behavior
User "system:serviceaccount:keda:keda-operator" should be able to list resource "clustercloudeventsources" cluster wide
Actual Behavior
User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" cluster wide
Steps to Reproduce the Problem
- Deploy keda helm with watchNamespace feature listing some namespaces
Logs from KEDA operator
W0122 07:17:43.186273 1 reflector.go:561] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1alpha1.ClusterCloudEventSource: clustercloudeventsources.eventing.keda.sh is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" in API group "eventing.keda.sh" at the cluster scope
E0122 07:17:43.186320 1 reflector.go:158] "Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1alpha1.ClusterCloudEventSource: failed to list *v1alpha1.ClusterCloudEventSource: clustercloudeventsources.eventing.keda.sh is forbidden: User \"system:serviceaccount:keda:keda-operator\" cannot list resource \"clustercloudeventsources\" in API group \"eventing.keda.sh\" at the cluster scope" logger="UnhandledError"
The cluster role keda-operator looks alright and do list this
- eventing.keda.sh
resources:
- cloudeventsources
- cloudeventsources/status
- clustercloudeventsources
- clustercloudeventsources/status
verbs:
- get
- list
- patch
- update
- watch
and the rolebindings look good too
# k get rolebindings.rbac.authorization.k8s.io -A | grep keda-operator
demat-demo-a keda-operator ClusterRole/keda-operator
identity-demo-a keda-operator ClusterRole/keda-operator
keda keda-operator ClusterRole/keda-operator
KEDA Version
2.16.1
Kubernetes Version
1.29
Platform
None
Scaler Details
No response
Anything else?
No response
Report
When using the watchNamespace feature with keda 2.16.1, the operator pod gives an error:
User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" cluster wide
Expected Behavior
User "system:serviceaccount:keda:keda-operator" should be able to list resource "clustercloudeventsources" cluster wide
Actual Behavior
User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" cluster wide
Steps to Reproduce the Problem
Logs from KEDA operator
W0122 07:17:43.186273 1 reflector.go:561] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1alpha1.ClusterCloudEventSource: clustercloudeventsources.eventing.keda.sh is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "clustercloudeventsources" in API group "eventing.keda.sh" at the cluster scopeE0122 07:17:43.186320 1 reflector.go:158] "Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1alpha1.ClusterCloudEventSource: failed to list *v1alpha1.ClusterCloudEventSource: clustercloudeventsources.eventing.keda.sh is forbidden: User \"system:serviceaccount:keda:keda-operator\" cannot list resource \"clustercloudeventsources\" in API group \"eventing.keda.sh\" at the cluster scope" logger="UnhandledError"The cluster role keda-operator looks alright and do list this
and the rolebindings look good too
KEDA Version
2.16.1
Kubernetes Version
1.29
Platform
None
Scaler Details
No response
Anything else?
No response