Why am I getting list operation denied errors for a controller created for namespace scoped resources? #4023
-
I created a project with kubebuilder init, and added two CRDs, to be managed by namespace. Where is this disconnect (does it need to list at cluster scope? Or did I somehow manage to not restrict to namespace?), and where should I look to diagnose/update/fix this? Versions: Here's the PROJECT file:
Errors I'm getting:
Note that I'd much rather not grant clusterrole permissions to the service account if I don't have to. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
Maybe answering myself here: It looks like the second CRD I added wasn't added to the rbac role?
|
Beta Was this translation helpful? Give feedback.
-
I filed a bug about this -- the tool should generate all CRD names in the resources: sections of the apiGroups. |
Beta Was this translation helpful? Give feedback.
-
Hi @jwatte, First at all, I would like to recommend you follow up the Quick Start (https://book.kubebuilder.io/quick-start) and the Getting Started (it will take 15 min) and will give to you a better idea over how things work. See: https://book.kubebuilder.io/getting-started Note that to allow we merge ANY PR we run a lot of automated tests as we update the samples under the testdata. The Roles has been generated correctly as should be see, i.e.: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/config/rbac/role.yaml . The samples under the testdata are generated via the script: https://github.com/kubernetes-sigs/kubebuilder/blob/master/test/testdata/generate.sh. On top of that, we have e2e tests which covers a lot of scenarios, see: https://github.com/kubernetes-sigs/kubebuilder/tree/master/test/e2e After create the API you need to run kubebuilder/testdata/project-v4/Makefile Lines 46 to 48 in c3a5806 After you change anything in the API you need to run kubebuilder/testdata/project-v4/Makefile Lines 50 to 52 in c3a5806 Note that the required markers in this case will be scaffolded already by the tool. However, you will probably need to get, list, update other secondary resources which are required to manage the CRD (i.e To have MyApp deployed I need a service and etc). So, you will update the marker in the controller of the MyAPP, such as you can check in the controller of the Deploy Image plugin sample testadata: Another suggestion to know how to do things is check the Deploy Image, by using this plugin to do the scaffold you will see that the whole code to manage an Image is scaffold. Example:
So, I am closing this one as sorted out. |
Beta Was this translation helpful? Give feedback.
Hi @jwatte,
First at all, I would like to recommend you follow up the Quick Start (https://book.kubebuilder.io/quick-start) and the Getting Started (it will take 15 min) and will give to you a better idea over how things work. See: https://book.kubebuilder.io/getting-started
Note that to allow we merge ANY PR we run a lot of automated tests as we update the samples under the testdata. The Roles has been generated correctly as should be see, i.e.: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/config/rbac/role.yaml . The samples under the testdata are generated via the script: https://github.com/kubernetes-sigs/kubebuilder/blob/master/test/testdata/generate.sh…