No permissions to get,list,watch ciskbebenchreports when operator is installed with Helm in same namespaces install mode
danielpacak opened this issue · comments
What steps did you take and what happened:
Install Starboard Operator with Helm without setting the targetNamespaces
value:
helm install starboard-operator ./deploy/helm \
--namespace starboard-system \
--create-namespace
What did you expect to happen:
Since CIS Benchmarks are enabled by default the operator should run kube-bench on each cluster node and save results in CISKubeBenchReport instances.
Anything else you would like to add:
The following error shows up in the operator's log instead:
E0304 16:20:35.908432 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167:
Failed to watch *v1alpha1.ClusterConfigAuditReport: failed to list *v1alpha1.ClusterConfigAuditReport:
clusterconfigauditreports.aquasecurity.github.io is forbidden:
User "system:serviceaccount:starboard-system:starboard-operator" cannot list resource
"clusterconfigauditreports" in API group "aquasecurity.github.io" at the cluster scope
Environment:
- Starboard version (use
starboard version
): v0.14.1 - Kubernetes version (use
kubectl version
): any - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): any