[Bug]: NGINX Ingress Controller logs show repeated errors related to insufficient RBAC permissions for the service account in 4.0.0.

[sbalasan]

Version

edge

What Kubernetes platforms are you running on?

AKS Azure

Steps to reproduce

The NGINX Ingress Controller logs show repeated errors related to insufficient RBAC permissions for the service account. Specifically, the errors indicate that the controller cannot list resources such as nodes and replicasets, which may prevent proper license reporting and telemetry functionality.

E20250124 21:46:44.841870 1 license_reporting.go:99] Error collecting ClusterNodeCount: nodes is forbidden: User "system:serviceaccount:nginx-ingress:nginx-ingress-token" cannot list resource "nodes"...
E20250124 21:46:44.851314 1 license_reporting.go:103] Error collecting InstallationID: error generating InstallationID: replicasets.apps "nginx-ingress-token-598cd9777b" is forbidden...

Expected Behavior
The NGINX Ingress Controller should have the necessary permissions to:

Collect the ClusterNodeCount by listing nodes.
Generate an InstallationID by accessing the replicasets.
Actual Behavior
The controller fails to collect telemetry information, as the required RBAC permissions for nodes and replicasets are missing. This results in error logs and potentially incomplete license or telemetry reports.

Steps to Reproduce

Deploy the NGINX Ingress Controller using the Helm chart or a similar method.
Observe the logs of the NGINX Ingress Controller pod using:
sh
Copy
Edit
kubectl logs -n
Notice the repeated errors related to RBAC permissions.

Possible Cause
The default RBAC permissions provided in the Helm chart or deployment configuration for the NGINX Ingress Controller may not include permissions for listing nodes and replicasets.

Proposed Solution
Update the ClusterRole associated with the NGINX Ingress Controller to include the following rules:

yaml
Copy
Edit

• apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]
• apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["get", "list"]
  Workaround
  Manually update the ClusterRole with the above rules to resolve the issue temporarily.

[github-actions]

Hi @sbalasan thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[haywoodsh]

Hi @sbalasan thank you for reporting this. Can you please share your helm values file? Did you upgrade from an old version or is this a new deployment? We are looking into this issue.

[sbalasan]

Hi @sbalasan thank you for reporting this. Can you please share your helm values file? Did you upgrade from an old version or is this a new deployment? We are looking into this issue.

Thanks for reaching out. Here is the updated rbac.yaml values file which worked.

charts/nginx-ingress/templates/rbac.yaml

[jjngx]

@sbalasan do you need our help on this issue or it's OK to close the issue?

[sbalasan]

this can be closed. Thanks!