Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing "subjectaccessreviews" resource permissions on keda-operator Clusterrole #646

Open
JMSPL opened this issue May 31, 2024 · 0 comments
Open

Missing "subjectaccessreviews" resource permissions on keda-operator Clusterrole #646

JMSPL opened this issue May 31, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@JMSPL
Copy link

JMSPL commented May 31, 2024
edited
Loading

Hi! Recently I've upgraded Keda to the 2.14.0 version using the latest Helm charts available. Everything deployed just fine but while looking at the logs of the metrics API server the following message kept appearing:

Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:keda-operator:keda-operator" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope

While having a look at the keda operator clusterrole template in the main branch I've realized the resource is indeed missing from it. Not sure if related but after the upgrade all our ScaledObjects and Jobs can no longer scale properly which I assume (might be a wrong assumption) is because of this. By running kubectl describe on any of the HPAs associated with Keda resources we can see the following:

 unable to get external metric ... unable to fetch metrics from external metrics API: an error on the server ("Internal Server Error: \"/apis/external.metrics.k8s.io/v1beta1/namespaces/...: subjectaccessreviews.authorization.k8s.io is forbidden: User \"system:serviceaccount:keda-operator:keda-operator\" cannot create resource \"subjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope") has prevented the request from succeeding (...)

Expected Behavior

The resource and necessary actions should be present in the clusterrole Helm template and message above shouldn't be present allowing for a normal scaling behavior using the latest version of the Helm chart.

Actual Behavior

Message keeps being printed by the metrics API server not allowing for the proper scaling of affected resources (ScaledObjects and ScaledJobs)

Steps to Reproduce the Problem

  1. Deploy the latest version of the Helm chart
  2. Check logs of API server
  3. Describe HPAs associated with Keda scaling objects/jobs
  4. Profit(?)

Specifications

  • KEDA Version: 2.14.0
  • Platform & Version: linux/amd64
  • Kubernetes Version: 1.28.9
  • Scaler(s): Please elaborate

PS: This seems to be very easy to fix and I have a PR ready, if bug is confirmed/reproducible by others I can take care of firing it.
@JMSPL JMSPL added the bug Something isn't working label May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JMSPL