Strimzi Operator fail kuberentes cluster-wide.

[rfarajro]

Hi,

Following the documentation (https://strimzi.io/docs/operators/latest/full/deploying.html), I have deployed the operator in cluster-wide mode, but it fails with the below error:

Unable to start operator for 1 or more namespace
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/apis/kafka.strimzi.io/v1beta2/kafkas. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. kafkas.kafka.strimzi.io is forbidden: User "system:serviceaccount:my-operator-namespace:strimzi-cluster-operator" cannot list resource "kafkas" in API group "kafka.strimzi.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "strimzi-topic-operator" not found.

This error occurs when I set the variable with value * in the deploy (060-Deployment-strimzi-cluster-operator.yaml).
env:
- name: STRIMZI_NAMESPACE
value: "*"

But it works if you set it to the namespace name.
env:
- name: STRIMZI_NAMESPACE
value: "my-operator-namespace"

I have created the ClusterRoleBinding according to the documentation:
kubectl create clusterrolebinding strimzi-cluster-operator-namespaced --clusterrole=strimzi-cluster-operator-namespaced --serviceaccount my-operator-namespace:strimzi-cluster-operator
kubectl create clusterrolebinding strimzi-cluster-operator-watched --clusterrole=strimzi-cluster-operator-watched --serviceaccount my-operator-namespace:strimzi-cluster-operator
kubectl create clusterrolebinding strimzi-cluster-operator-entity-operator-delegation --clusterrole=strimzi-entity-operator --serviceaccount my-operator-namespace:strimzi-cluster-operator

And:
sed -i 's/namespace: .*/namespace: my-operator-namespace/' install/cluster-operator/RoleBinding.yaml

So I don't understand what could be wrong.

Any idea please?

Regards.

[rfarajro]

Hi,

I found the solution. I need to create a new ClusterRole called "strimzi-topic-operator", but I don't understand why I had to create this new role since it should be in the installation or documented:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: strimzi-topic-operator
labels:
app: strimzi
rules:

• apiGroups:
  • "kafka.strimzi.io"
    resources:
  • kafkas
  • kafkas/status
  • kafkaconnects
  • kafkaconnects/status
  • kafkaconnects/scale
  • kafkamirrormakers
  • kafkamirrormakers/status
  • kafkamirrormakers/scale
  • kafkausers
  • kafkausers/status
  • kafkatopics
  • kafkatopics/status
  • kafkabridges
  • kafkabridges/status
  • kafkabridges/scale
  • kafkaconnectors
  • kafkaconnectors/status
  • kafkaconnectors/scale
  • kafkamirrormaker2s
  • kafkamirrormaker2s/status
  • kafkamirrormaker2s/scale
  • kafkarebalances
  • kafkarebalances/status
    verbs:
  • get
  • list
  • watch
  • create
  • delete
  • patch
  • update
• apiGroups:
  • "core.strimzi.io"
    resources:
  • strimzipodsets
  • strimzipodsets/status
    verbs:
  • status
  • get
  • list
  • watch
  • create
  • delete
  • patch
  • update

Regards.

[scholzj]

TBH, I do not follow what you did initially, and later to fix it ... the ClusterRoles changed in 0.32. So if you used some procedure from older versions, it could be that it did not work anymore. But the rights listed above are form https://github.com/strimzi/strimzi-kafka-operator/blob/main/install/cluster-operator/023-ClusterRole-strimzi-cluster-operator-role.yaml. And this command which you said you run:

kubectl create clusterrolebinding strimzi-cluster-operator-watched --clusterrole=strimzi-cluster-operator-watched --serviceaccount my-operator-namespace:strimzi-cluster-operator

creates the ClusterRoleBinding for it. So I do not see any docs issue here. Maybe just some typo somewhere in the first try?