unable to list/watch resources without cluster-wide permissions
gpomykala opened this issue · comments
I attempted to leverage controller-runtime as a building block for a component that will watch some specific kind of resource, mostly due to builtin caching / component lifecycle management via default Manager.
What I missed is that Manager does not seem to allow to inject non-default Client eg. https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/client/namespaced_client.go that would allow to observe resources in a specific namespace only. My component runs with a service account that has some namespace-scoped permissions, but not cluster-wide permissions, which leads to
E0220 12:56:54.476930 17 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Workflow: failed to list *v1alpha1.Workflow: workflows.argoproj.io is forbidden: User "XXX" cannot list resource "workflows" in API group "argoproj.io" at the cluster scope
I tried to inject namespace to watch via configuration mentioned here https://github.com/kubernetes-sigs/controller-runtime/issues/2467 with no luck so far.
Is it possible to either:
- inject the namespace to Manager's configuration
- inject non-default Client to the Manager
I am open to other suggestions as well
/kind support
nvm, actually setting the namespace in cache options did work as explained in #1708 (comment)