You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When enabling restricted secret access feature and using cert-manager instead of self-managed certificates, KEDA operator and metrics-server fail to start.
A possible workaround for this is providing access to own-namespace secrets by creating Role and RoleBinding manually or via extraObjects in chart values.
Expected Behavior
KEDA chart renders necessary Role and RoleBinding under these conditions OR
KEDA doesn't try to access any secrets
Actual Behavior
KEDA chart doesn't render Role and RoleBinding, leaving no access to secrets at all (which would otherwise be available through ClusterRole). KEDA components try to access secrets in own namespace, failing to do so due to missing access permissions, and crash.
Steps to Reproduce the Problem
Restrict global secret access via following Helm values:
KEDA metrics-server and operator crash with following error:
W0807 18:55:16.700808 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:16.700852 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0807 18:55:18.950561 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:18.950596 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0807 18:55:25.059600 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:25.059638 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
Specifications
KEDA Version:2.11.0
Chart Version:2.11.2
The text was updated successfully, but these errors were encountered:
I think that this is an error in the chart, because the secret access has to be granted if restricted mode is set.
Are you willing to open a PR fixing it?
When enabling restricted secret access feature and using cert-manager instead of self-managed certificates, KEDA operator and metrics-server fail to start.
A possible workaround for this is providing access to own-namespace secrets by creating Role and RoleBinding manually or via
extraObjects
in chart values.Expected Behavior
KEDA chart renders necessary Role and RoleBinding under these conditions
OR
KEDA doesn't try to access any secrets
Actual Behavior
KEDA chart doesn't render Role and RoleBinding, leaving no access to secrets at all (which would otherwise be available through ClusterRole). KEDA components try to access secrets in own namespace, failing to do so due to missing access permissions, and crash.
Steps to Reproduce the Problem
Specifications
The text was updated successfully, but these errors were encountered: