Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does keda-operator ClusterRole need access to serviceaccounts? #2383

Closed
dominhhai opened this issue Dec 4, 2021 Discussed in #2348 · 10 comments · Fixed by #2406 or #2410
Closed

Does keda-operator ClusterRole need access to serviceaccounts? #2383

dominhhai opened this issue Dec 4, 2021 Discussed in #2348 · 10 comments · Fixed by #2406 or #2410
Milestone
v2.6.0

Comments

@dominhhai
Copy link

Discussed in #2348

Originally posted by gdamjan-loka November 25, 2021
Does the the keda-operator ClusterRole need access to serviceaccounts resources too?

I was getting these errors:

E1125 13:48:04.476470       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.8/tools/cache/reflector.go:167: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "serviceaccounts" in API group "" at the cluster scope

To get rid of the error I had to add serviceaccount here somewhere (I edited the release yaml file):
https://github.com/kedacore/keda/blob/main/config/rbac/role.yaml#L19-L23
@dominhhai
Copy link
Author

may be related to #837 (comment)

@JorTurFer
Copy link
Member

Hi @dominhhai
I have several clusters with KEDA running there so I believe that it's not necessary.
Could you run kubectl get pods -n {KEDA_NAMESPACE} -o jsonpath="{..imageID}" and paste the output please?

@zroubalik
Copy link
Member

What type of triggers are you using?

@zroubalik
Copy link
Member

And how did you install KEDA? via HELM?

@mKeRix
Copy link

mKeRix commented Dec 16, 2021

FWIW, we also ran into this issue on our test cluster with a fresh Keda installation. We install Keda via Helm (chart version 2.5.0) and tried to use the TriggerAuthentication pointing to a service account with IAM permissions (via IRSA). The ScaledObject had a trigger of type aws-sqs-queue. This failed in the error described above. Once we gave the operator access to read our queue, removed the TriggerAuthentication and instead used identityOwner: operator the scaling worked.

If possible, we'd like to use the aws-eks pod identity in Keda in the future, so that permissions can be given granularly by the teams operating their services.

@tomkerkhove
Copy link
Member

If @zroubalik agrees, are you open to send a PR for this @mKeRix ?

@tomasspi
Copy link
Contributor

I comment on this because I had the same issue and solved it by giving permissions to list and watch service accounts to the keda-operator cluster role.
I deployed KEDA via Helm (v2.5.0) and ran into this when when using ClusterTriggerAuthentication with identityOwner: oeprator.

@tomkerkhove
Copy link
Member

Are you open to send a PR for this?

@tomasspi
Copy link
Contributor

sure thing!

@tomasspi tomasspi mentioned this issue Dec 17, 2021
Merged
5 tasks
This was referenced Dec 17, 2021
Merged
Merged
@tomkerkhove
Copy link
Member

A new Helm chart is out - https://github.com/kedacore/charts/releases/tag/v2.5.1

Thanks for reporting and fixing!

@tomkerkhove tomkerkhove added this to the v2.6.0 milestone Dec 20, 2021
@JorTurFer JorTurFer reopened this Dec 20, 2021
@JorTurFer JorTurFer mentioned this issue Dec 20, 2021
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.6.0
6 participants
@zroubalik @mKeRix @dominhhai @tomkerkhove @JorTurFer @tomasspi