Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keda v2.15.1 cannot list secrets within the keda namespace #685

Closed
jdinsel-xealth opened this issue Sep 10, 2024 · 2 comments
Closed

Keda v2.15.1 cannot list secrets within the keda namespace #685

jdinsel-xealth opened this issue Sep 10, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@jdinsel-xealth
Copy link

jdinsel-xealth commented Sep 10, 2024

If the permissions.operator.restrict.secret value is set to true, the minimal-rbac.yaml will not have permissions to read the secret within the release namespace.

- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- update
{{- end }}

Expected Behavior

It should be properly configured to read the secret created within its namespace.

Actual Behavior

At runtime, the keda-operator logs:

1 reflector.go:147] k8s.io/client-go/informers/factory.go:159: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is 
forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the 
namespace "keda"

Steps to Reproduce the Problem

  1. Set the values for v2.15.1 to define permissions.operator.restrict.secret to true
  2. Deploy the helm chart to the cluster
  3. Tail the logs for errors

Specifications

  • KEDA Version: v2.15.1
  • Platform & Version: AWS EKS v1.30
  • Kubernetes Version: v1.30

Note that an unreleased pull request added more permissions to list and watch. When will this be released?

https://github.com/kedacore/charts/blob/main/keda/templates/manager/minimal-rbac.yaml#L37-L40

@jdinsel-xealth jdinsel-xealth added the bug Something isn't working label Sep 10, 2024
@joebowbeer
Copy link
Contributor

joebowbeer commented Sep 11, 2024

It looks like #625 caused a regression

To be clear, the informer only needs list/watch access, not read (get) access to secrets.

See #605 and kedacore/keda-docs#1307 for previous discussion about how to restrict access to secrets, which I think now (after #625) probably needs an update

On slack: https://kubernetes.slack.com/archives/C01JGDP8MB8/p1726170644218529

@jdinsel-xealth
Copy link
Author

This issue is fixed with the release of v2.15.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants