Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Watch all namespaces by UserOperator

See original GitHub issue

We have our cluster running in kafka namespace and we need UserOperator to be created in a namespace which is created dynamically. How can we configure our UserOperator to watch all namespace? We tried this configuration:

  entityOperator:
    topicOperator: {}
    userOperator:
      watchedNamespace: ".*"

I have already created the ClusterRoleBindings by executing:

kubectl create clusterrolebinding strimzi-cluster-operator-namespaced --clusterrole=strimzi-cluster-operator-namespaced --serviceaccount kafka:strimzi-cluster-operator
kubectl create clusterrolebinding strimzi-cluster-operator-entity-operator-delegation --clusterrole=strimzi-entity-operator --serviceaccount kafka:strimzi-cluster-operator
kubectl create clusterrolebinding strimzi-cluster-operator-topic-operator-delegation --clusterrole=strimzi-topic-operator --serviceaccount kafka:strimzi-cluster-operator

but it doesn’t work and throws exception:

2020-12-14 10:55:58 WARN  AbstractOperator:470 - Reconciliation #866(timer) Kafka(kafka/apsingh): Failed to reconcile
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.100.0.1/apis/rbac.authorization.k8s.io/v1/namespaces/.*/rolebindings/strimzi-apsingh-entity-user-operator. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. rolebindings.rbac.authorization.k8s.io "strimzi-apsingh-entity-user-operator" is forbidden: User "system:serviceaccount:kafka:strimzi-cluster-operator" cannot get resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace ".*".
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:589) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:526) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:492) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:451) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:416) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:397) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:933) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:220) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:186) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:84) ~[io.fabric8.kubernetes-client-4.12.0.jar:?]
    at io.strimzi.operator.common.operator.resource.AbstractResourceOperator.lambda$reconcile$0(AbstractResourceOperator.java:96) ~[io.strimzi.operator-common-0.20.0.jar:0.20.0]
    at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$2(ContextImpl.java:313) ~[io.vertx.vertx-core-3.9.1.jar:3.9.1]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty.netty-common-4.1.50.Final.jar:4.1.50.Final]
    at java.lang.Thread.run(Thread.java:834) [?:?]
2020-12-14 10:56:06 WARN  AbstractOperator:377 - Reconciliation #867(timer) KafkaConnect(kafka/kafka-connect-cluster): Failed to acquire lock lock::kafka::KafkaConnect::kafka-connect-cluster within 10000ms.

Same error for watchedNamespace: "*". The cluster is already set to watch all namespaces by setting the property watchAnyNamespace: true

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:9 (4 by maintainers)

Top GitHub Comments

7reactions

caiconkhiconcommented, Jan 25, 2021

I have the same requirement, but with KafkaTopic

1reaction

scholzjcommented, Nov 4, 2021

@taislapta Maybe you can copy the secrets around to be in the User Operator namespace as well as the user namespace. Also, if you want to manage the users your self in Vault, you do not really need to use the User Operator. You can disable it and create the users directly in Kafka using the Kafka APIs / tools as well.