I'm trying to deploy a Kubernetes Operator using Kopf and I'm getting the following error:
kopf._cogs.clients.errors.APIForbiddenError: ('exchangerates.operators.brennerm.github.io is forbidden: User "system:serviceaccount:default:exchangerates-operator" cannot list resource "exchangerates" in API group "operators.brennerm.github.io" at the cluster scope', {'kind': 'Status', 'apiVersion': 'v1', 'metadata': {}, 'status': 'Failure', 'message': 'exchangerates.operators.brennerm.github.io is forbidden: User "system:serviceaccount:default:exchangerates-operator" cannot list resource "exchangerates" in API group "operators.brennerm.github.io" at the cluster scope', 'reason': 'Forbidden', 'details': {'group': 'operators.brennerm.github.io', 'kind': 'exchangerates'}, 'code': 403})
What's confusing is that if I check the permissions granted to the Service Account it looks like it has the correct permissions:
$ kubectl auth can-i list exchangerates --as=system:serviceaccount:default:exchangerates-operator
yes
$ kubectl auth can-i list exchangerates --as=system:serviceaccount:default:exchangerates-operator --all-namespaces
yes
Is there somewhere else I should be looking to troubleshoot the issue?
User Sergey Vasilyev has tested this configuration and mentioned in the comment:
You are right, "*" works. I tried your repo locally with Minikube 1.24.0 & K8s 1.22.3 — it works, there are no permission errors. The operator and the setup are both correct. Similarly for K3d — it works. I assume it is something with your local setup or old images left somewhere.
I also tested. I ran it locally on Minikube and had no problems. Your setup looks fine, everything works fine. Probably the problem may be with some dependencies in the image, or with Minikube leftovers. Bear in mind that Minikube is mainly used for testing and learning purposes so some of it's features might not be ideal. As for solving your problem, just try creating a new cluster.