jaeger-operator: Failed to list namespaces error when not using cluster-wide mode

Deployed the operator 1.22 following these instructions

kubectl create namespace observability
kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/crds/jaegertracing.io_jaegers_crd.yaml
kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account.yaml
kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role.yaml
kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role_binding.yaml
kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/operator.yaml

The operator watches only the observability namespace. But I’m seeing these errors in the log:

E0416 08:20:50.253032       1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.2/tools/cache/reflector.go:125: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:observability:jaeger-operator" cannot list resource "namespaces" in API group "" at the cluster scope

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Comments: 20 (8 by maintainers)

Commits related to this issue

Most upvoted comments

Guys, the same issue. Deployed jaeger-operator 2.39.0 from helm chart using default values (non-cluster wide) in observability ns. When I try to create the simplest jaeger cluster I get:

1.6744841582063437e+09	ERROR	Reconciler error	{"controller": "jaeger", "controllerGroup": "jaegertracing.io", "controllerKind": "Jaeger", "Jaeger": {"name":"simplest","namespace":"observability"}, "namespace": "observability", "name": "simplest", "reconcileID": "44701060-9d41-42ad-b849-dfe6f916d60b", "error": "deployments.apps is forbidden: User \"system:serviceaccount:observability:jaeger-crd-jaeger-operator\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope"}

For some reason operator wants to list deployments in cluster scope but I don’t use cluster scope. I can’t deploy even simplest jaeger cluster.

+2
malcolm061990 on Jan 23, 2023

I have a feeling some of the conversation here might be confusing things a bit, since there was a period of time where both modes had some problems on various versions of the Helm chart and operator. The original ticket was about when not running in cluster mode, i.e when WATCH_NAMESPACE is defined and points to a single namespace.

It seemed the operator itself still tried to list namespaces which yielded this error, and which in theory it should not need to do or attempt to do when it was running in single namespace mode, since to do so would require the ClusterRole which you wouldn’t normally be deploying when in this mode.

Indeed the official Helm chart will not create ClusterRoles and ClusterRoleBindings when in this mode: https://github.com/jaegertracing/helm-charts/blob/59f51fd7caf924faaea951cf064f86c3f35e8b78/charts/jaeger-operator/templates/role.yaml#L2

… using the same value in the chart which controls “single namespace mode” on the Deployment. https://github.com/jaegertracing/helm-charts/blob/59f51fd7caf924faaea951cf064f86c3f35e8b78/charts/jaeger-operator/templates/deployment.yaml#L43-L50

Nevertheless, that PR doesn’t seem like it’d fix this issue to me since it is touching the ClusterRole.

+2
chadlwilson on Aug 19, 2021

sure

+1
Morriz on Jun 22, 2021
Read more comments on GitHub
← jaeger-operator: failed to create primary Elasticsearch client with health check timeout - no Elasticsearch node available
jaeger-operator: Jaeger Rollover Elastic Search - SSL: CERTIFICATE_VERIFY_FAILED →