Error with namespaced deployment

[mattia-badiali]

Hi all,

I want to deploy the redis-cluster operator in the default namespace without clusterRoles.

I set .operator.namespace: "default"

But the pod is crashing:

[root@localhost charts]# kubectl get po
NAME                                      READY   STATUS             RESTARTS   AGE
redis-cluster-operator-7cf988795f-jq9bt   0/1     CrashLoopBackOff   5          5m56s

While from the logs I can see:

[root@localhost charts]# kubectl logs redis-cluster-operator-7cf988795f-jq9bt 
{"level":"info","ts":1617693268.2716427,"logger":"cmd","msg":"Go Version: go1.13.3"}
{"level":"info","ts":1617693268.2716968,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":1617693268.271701,"logger":"cmd","msg":"Version of operator-sdk: v0.13.0"}
{"level":"info","ts":1617693268.2717068,"logger":"cmd","msg":"Version of operator: 0.1.1+0000000"}
{"level":"info","ts":1617693268.2719927,"logger":"leader","msg":"Trying to become the leader."}
{"level":"error","ts":1617693268.9286208,"logger":"k8sutil","msg":"Failed to get Pod","Pod.Namespace":"default","Pod.Name":"redis-cluster-operator-7cf988795f-jq9bt","error":"pods \"redis-cluster-operator-7cf988795f-jq9bt\" is forbidden: User \"system:serviceaccount:default:redis-cluster-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\": RBAC: clusterrole.rbac.authorization.k8s.io \"redis-cluster-operator\" not found","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/k8sutil.GetPod\n\t/go/pkg/mod/github.com/operator-framework/operator-sdk@v0.13.0/pkg/k8sutil/k8sutil.go:128\ngithub.com/operator-framework/operator-sdk/pkg/leader.myOwnerRef\n\t/go/pkg/mod/github.com/operator-framework/operator-sdk@v0.13.0/pkg/leader/leader.go:160\ngithub.com/operator-framework/operator-sdk/pkg/leader.Become\n\t/go/pkg/mod/github.com/operator-framework/operator-sdk@v0.13.0/pkg/leader/leader.go:67\nmain.main\n\t/src/cmd/manager/main.go:99\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}
{"level":"error","ts":1617693268.9287992,"logger":"cmd","msg":"","error":"pods \"redis-cluster-operator-7cf988795f-jq9bt\" is forbidden: User \"system:serviceaccount:default:redis-cluster-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\": RBAC: clusterrole.rbac.authorization.k8s.io \"redis-cluster-operator\" not found","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\nmain.main\n\t/src/cmd/manager/main.go:101\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}

but roles are correctly deployed

[root@localhost charts]# kubectl describe rolebindings.rbac.authorization.k8s.io  redis-cluster-operator 
Name:         redis-cluster-operator
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: redis-cluster-operator
              meta.helm.sh/release-namespace: default
Role:
  Kind:  ClusterRole
  Name:  redis-cluster-operator
Subjects:
  Kind            Name                    Namespace
  ----            ----                    ---------
  ServiceAccount  redis-cluster-operator  default
[root@localhost charts]# kubectl describe roles.rbac.authorization.k8s.io  redis-cluster-operator 
Name:         redis-cluster-operator
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: redis-cluster-operator
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources                      Non-Resource URLs  Resource Names    Verbs
  ---------                      -----------------  --------------    -----
  configmaps                     []                 []                [create get list patch update watch delete]
  events                         []                 []                [create get list patch update watch delete]
  pods/exec                      []                 []                [create get list patch update watch delete]
  services                       []                 []                [create get list patch update watch delete]
  deployments.apps               []                 []                [create get list patch update watch delete]
  replicasets.apps               []                 []                [create get list patch update watch delete]
  statefulsets.apps              []                 []                [create get list patch update watch delete]
  jobs.batch                     []                 []                [create get list patch update watch delete]
  poddisruptionbudgets.policy    []                 []                [create get list patch update watch delete]
  *.redis.kun                    []                 []                [delete deletecollection get list patch update watch]
  redisclusterbackups.redis.kun  []                 []                [delete deletecollection get list patch update watch]
  persistentvolumeclaims         []                 []                [get list watch delete create patch update]
  secrets                        []                 []                [get list watch delete create patch update]
  endpoints                      []                 []                [get list watch delete]
  pods                           []                 []                [get list watch delete]
  namespaces                     []                 []                [get list watch]
  deployments.apps/finalizers    []                 [redis-operator]  [update]

Am I doing anything wrong?

Thanks

[mattia-badiali]

Changes from #78 fixed the issue