I had an Operator, and deploy it on 3 different namespaces in the same cluster, then I got the following errors. I could not figure out what's wrong here and how to fix them? Any idea for that?
E1111 15:02:48.398838 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1alpha1.Bird: Birds.xxxx.com is forbidden: User "system:serviceaccount:aaaa-test:default" cannot list resource "Birds" in API group "xxxx.com" in the namespace "aaaa-test"
E1111 15:02:50.193666 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1alpha1.Bird: Birds.xxxx.com is forbidden: User "system:serviceaccount:aaaa-test:default" cannot list resource "Birds" in API group "xxxx.com" in the namespace "aaaa-test"
This message means that the service account you use for your Operator does misses certain permissions. You need to add Role which has permissions to list the resource Birds.
Something like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: operator
rules:
- apiGroups:
- xxxx.com
resources:
- birds
verbs:
- list
Needless to say, you also need to add ClusterRoleBinding.
Please check more details in the example: Build Your Operator with the Right Tool.