When enabling restricted secret access feature and using cert-manager instead of self-managed certificates, KEDA operator and metrics-server fail to start.
A possible workaround for this is providing access to own-namespace secrets by creating Role and RoleBinding manually or via extraObjects in chart values.
Expected Behavior
KEDA chart renders necessary Role and RoleBinding under these conditions
OR
KEDA doesn't try to access any secrets
Actual Behavior
KEDA chart doesn't render Role and RoleBinding, leaving no access to secrets at all (which would otherwise be available through ClusterRole). KEDA components try to access secrets in own namespace, failing to do so due to missing access permissions, and crash.
Steps to Reproduce the Problem
- Restrict global secret access via following Helm values:
permissions:
metricServer:
restrict:
secret: true
operator:
restrict:
secret: true
- Enable cert-manager certificates instead of self-generated ones via following Helm values:
certificates:
autoGenerated: false
certManager:
enabled: true
- Deploy KEDA to cluster
- KEDA metrics-server and operator crash with following error:
W0807 18:55:16.700808 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:16.700852 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0807 18:55:18.950561 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:18.950596 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
W0807 18:55:25.059600 1 reflector.go:424] k8s.io/client-go/informers/factory.go:150: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
E0807 18:55:25.059638 1 reflector.go:140] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the namespace "keda"
Specifications
- KEDA Version: 2.11.0
- Chart Version: 2.11.2
When enabling restricted secret access feature and using cert-manager instead of self-managed certificates, KEDA operator and metrics-server fail to start.
A possible workaround for this is providing access to own-namespace secrets by creating Role and RoleBinding manually or via
extraObjectsin chart values.Expected Behavior
KEDA chart renders necessary Role and RoleBinding under these conditions
OR
KEDA doesn't try to access any secrets
Actual Behavior
KEDA chart doesn't render Role and RoleBinding, leaving no access to secrets at all (which would otherwise be available through ClusterRole). KEDA components try to access secrets in own namespace, failing to do so due to missing access permissions, and crash.
Steps to Reproduce the Problem
Specifications