Operator-sdk: Errors on Bundle Validate When Specifying Non-Default ServiceAccountName in controller-manager Deployment

Created on 18 Aug 2020  路  6Comments  路  Source: operator-framework/operator-sdk

Bug Report

What did you do?
Specifying a ServiceAccountName in the controller-manager deployment results in a bundle validation error on make bundle ...

What did you expect to see?
A clear and concise description of what you expected to happen (or insert a code snippet).
I expected to see the following in the output of make bundle ...:

INFO[0000] Building annotations.yaml                    
INFO[0000] Writing annotations.yaml in <dir>/memcached-operator/bundle/metadata 
INFO[0000] Building Dockerfile                          
INFO[0000] Writing bundle.Dockerfile in <dir>/memcached-operator 
operator-sdk bundle validate ./bundle
INFO[0000] Found annotations file                        bundle-dir=bundle container-tool=docker
INFO[0000] Could not find optional dependencies file     bundle-dir=bundle container-tool=docker
INFO[0000] All validation tests have completed successfully

What did you see instead? Under which circumstances?
A clear and concise description of what you expected to happen (or insert a code snippet).
However when specifying serviceAccountName in the controller-manager as follows:

...
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
  labels:
    control-plane: controller-manager
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      serviceAccountName: memcached-operator
      containers:
      - command:
        - /manager
        args:
        - --enable-leader-election
        image: controller:latest
        name: manager
        resources:
          limits:
            cpu: 100m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
      terminationGracePeriodSeconds: 10

I see the following errors on make bundle ...:

INFO[0000] Building annotations.yaml                    
INFO[0000] Writing annotations.yaml in <dir>/memcached-operator/bundle/metadata 
INFO[0000] Building Dockerfile                          
INFO[0000] Writing bundle.Dockerfile in <dir>/memcached-operator 
operator-sdk bundle validate ./bundle
INFO[0000] Found annotations file                        bundle-dir=bundle container-tool=docker
INFO[0000] Could not find optional dependencies file     bundle-dir=bundle container-tool=docker
ERRO[0000] Error: Value memcached-operator-leader-election-role: error validating object: metadata.namespace: Forbidden: not allowed on this type. &{map[apiVersion:rbac.authorization.k8s.io/v1 kind:Role metadata:map[creationTimestamp:<nil> name:memcached-operator-leader-election-role namespace:memcached-operator] rules:[map[apiGroups:[] resources:[configmaps] verbs:[get list watch create update patch delete]] map[apiGroups:[] resources:[configmaps/status] verbs:[get update patch]] map[apiGroups:[] resources:[events] verbs:[create patch]]]]} 
ERRO[0000] Error: Value memcached-operator-leader-election-rolebinding: error validating object: metadata.namespace: Forbidden: not allowed on this type. &{map[apiVersion:rbac.authorization.k8s.io/v1 kind:RoleBinding metadata:map[creationTimestamp:<nil> name:memcached-operator-leader-election-rolebinding namespace:memcached-operator] roleRef:map[apiGroup:rbac.authorization.k8s.io kind:Role name:memcached-operator-leader-election-role] subjects:[map[kind:ServiceAccount name:default namespace:memcached-operator]]]}

Not only do we believe we should not be seeing this error, in the situation specified, this error appears to be incorrect because the files the operator-sdk bundle command are referencing are Roles and RoleBindings which are namespace scoped.

Environment

  • operator-sdk version: 1.0.0

  • go version: 1.14.7 and 1.15

  • Kubernetes version information: 1.18.3 (but not applicable)

  • Kubernetes cluster kind: OpenShift 4.5.5 (also not applicable)

  • Are you writing your operator in ansible, helm, or go?: go

Possible Solution
N/A

Additional context
I noticed far more files are created in the bundle/manifests when specifying ServiceAccountName in the controller-manager deployment, than when this is not specified.

Additionally, I referenced this: https://github.com/operator-framework/operator-sdk/blob/874d1201c8bb2d23db6b4cc59a68543c6a0b7701/internal/generate/clusterserviceversion/clusterserviceversion_updaters.go#L100 as validation as to the correct way to specify a non-default ServiceAccount

kinbug triagneeds-information
Source
picture griffincollege

Most helpful comment

Yup! Sounds right. Thanks for confirming.

/milestone v1.1.0

picture joelanford on 28 Oct 2020
👍2

All 6 comments

This does look like some validation library bug. I will investigate.

The way you've specified a non-default service account name in the CSV is correct. This service account name differs from the one (default) that role bindings bind roles to, so generate writes these CSV-adjacent RBAC objects as manifests for OLM to directly create.

/kind bug

estroz picture estroz on 18 Aug 2020

Does this need more information or is it resolved? Asking because of the tag. I just ran across this on opsdkv1.0.0 but I see 1.1.0 out and need to try to upgrade my operator-sdk to see if it's resolved there, but wanted to see if I could provide whatever information is missing.

komish picture komish on 27 Oct 2020

I _think_ this should be resolved as of 1.1.0. The PR (https://github.com/operator-framework/operator-sdk/pull/3813) that presumably fixed this was merged prior to the release. Would you mind trying it out and letting us know.

If it is resolved, we can put this back in the 1.1.0 milestone and close it.

joelanford picture joelanford on 27 Oct 2020

Certainly, I'll give it a test in the AM and report back!

komish picture komish on 27 Oct 2020
👍1

Based on my testing, it looks like operator-sdk v1.1.0 does resolve this issue.

To recap, I aimed to add a custom service account to my operator (such that I did not use "default" which is what the kustomize manifests are set up to do by default). I ended up with a CSV-adjacent service account included in the bundle, and the namespace that I had prepared was stripped which I believe was the goal (because OLM handles namespace placement based on the installation processes).

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: my-operator-sa

Bundle validation now passes without an issue as it was previously erroring on validating a resource with a namespace (and now we don't have one).

$ operator-sdk version
operator-sdk version: "v1.1.0", commit: "9d27e224efac78fcc9354ece4e43a50eb30ea968", kubernetes version: "v1.18.2", go version: "go1.15 darwin/amd64", GOOS: "darwin", GOARCH: "amd64"

$ operator-sdk bundle validate ./bundle
INFO[0000] Found annotations file                        bundle-dir=bundle container-tool=docker
INFO[0000] Could not find optional dependencies file     bundle-dir=bundle container-tool=docker
INFO[0000] All validation tests have completed successfully

Seems resolved to me.

komish picture komish on 28 Oct 2020

Yup! Sounds right. Thanks for confirming.

/milestone v1.1.0

joelanford picture joelanford on 28 Oct 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

magescher picture magescher  路  3Comments
flickerfly picture flickerfly  路  5Comments
TristanCacqueray picture TristanCacqueray  路  5Comments
hasbro17 picture hasbro17  路  3Comments
camilamacedo86 picture camilamacedo86  路  4Comments