Hi,
there is some kind of incompatibility between k8s versions for the watchResource() observer?
I released an operator that monitors the events of some custom resources and in cluster 1.21.x it works, while in cluster 1.18.x it doesn't.
I get a generic 403 Forbidden error when I try to watch the resources.
The service account with which the operator runs has all verbs enabled and if queried directly, using the same service account, the k8s API respond correctly without any kind of permission problem.
[info][2021-09-03T14:58:27.563Z] [K8S Main Operator] Operator start - undefined
[info][2021-09-03T14:58:27.765Z] watching resource lambdas.company.org/v1 - undefined
[error][2021-09-03T14:58:29.142Z] watch on resource lambdas.company.org/v1 failed: {"name":"Error","message":"Forbidden","stack":"Error: Forbidden\n at Request.<anonymous> (/operator/main.js:159289:35)\n at Request.emit (events.js:400:28)\n at Request../node_modules/request/request.js.Request.onRequestResponse (/operator/main.js:253512:10)\n at ClientRequest.emit (events.js:400:28)\n at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:647:27)\n at HTTPParser.parserOnHeadersComplete (_http_common.js:126:17)\n at TLSSocket.socketOnData (_http_client.js:515:22)\n at TLSSocket.emit (events.js:400:28)\n at addChunk (internal/streams/readable.js:290:12)\n at readableAddChunk (internal/streams/readable.js:265:9)"} - undefined
> kubectl auth can-i --list -n devel --as system:serviceaccount:devel:default
Resources Non-Resource URLs Resource Names Verbs
routes.company.org [] [] [*]
functions.company.org [] [] [*]
lambdas.company.org [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Some idea?
Thanks!
Hi,
there is some kind of incompatibility between k8s versions for the watchResource() observer?
I released an operator that monitors the events of some custom resources and in cluster 1.21.x it works, while in cluster 1.18.x it doesn't.
I get a generic 403 Forbidden error when I try to watch the resources.
The service account with which the operator runs has all verbs enabled and if queried directly, using the same service account, the k8s API respond correctly without any kind of permission problem.
Some idea?
Thanks!