Standard SA User doesn't have access to listen events on OCP4

[bigg01]

Which RBAC should be added?

......
{"level":"error","ts":1575727481.5853245,"logger":"cmd","msg":"","error":"events is forbidden: User "system:serviceaccount:test-event-logger:event-logger-example-eventlogger" cannot list resource "events" in API group "" at the cluster scope","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\nmain.main\n\t/build/cmd/logger/main.go:114\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}

[bakito]

How does your CR look like?
If you do not define a serviceAccount, rbac is generated automatically.

[bigg01]

By default any Deployment get a SA in OCP4.

oc get sa NAME SECRETS AGE builder 2 11m default 2 11m deployer 2 11m event-logger-example-eventlogger 2 4m eventlogger-k8s-event-logger-operator 2 9m27s

I changed the CR to use specific SA "default". Doesn't work either. The User needs more permission (RBAC).

apiVersion: eventlogger.bakito.ch/v1 kind: EventLogger metadata: creationTimestamp: '2019-12-07T14:04:15Z' generation: 4 name: example-eventlogger namespace: test-event-logger resourceVersion: '2434313' selfLink: >- /apis/eventlogger.bakito.ch/v1/namespaces/test-event-logger/eventloggers/example-eventlogger uid: 740df780-18fa-11ea-a913-7a70ff46464a spec: eventTypes: - Noramal - Warning kinds: - eventTypes: - Noramal - Warning matchingPatterns: - .* name: DeploymentConfig skipOnMatch: false serviceAccount: default status: lastProcessed: '2019-12-07T14:10:41Z' operatorVersion: v0.1.0

[bakito]

The generated role is defined here: https://github.com/bakito/k8s-event-logger-operator/blob/master/pkg/controller/eventlogger/eventlogger_controller.go#L494

[bigg01]

this is the API call from OC client
oc get events -v 8 I1207 15:46:08.627346 34536 loader.go:359] Config loaded from file /Users/guo/.kube/config I1207 15:46:08.640094 34536 round_trippers.go:416] GET https://api.g01.containerize.ch:6443/api/v1/namespaces/test-event-logger/events?limit=500 I1207 15:46:08.640116 34536 round_trippers.go:423] Request Headers: I1207 15:46:08.640123 34536 round_trippers.go:426] User-Agent: oc/v0.0.0 (darwin/amd64) kubernetes/$Format I1207 15:46:08.640131 34536 round_trippers.go:426] Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json I1207 15:46:08.640137 34536 round_trippers.go:426] Authorization: Bearer OM9Yru6yG8sry5QBGSaWgoNErdwK2JTEfqs8IPi-QEY I1207 15:46:08.664180 34536 round_trippers.go:441] Response Status: 200 OK in 24 milliseconds I1207 15:46:08.664208 34536 round_trippers.go:444] Response Headers: I1207 15:46:08.664214 34536 round_trippers.go:447] Cache-Control: no-cache, private I1207 15:46:08.664219 34536 round_trippers.go:447] Content-Type: application/json I1207 15:46:08.664224 34536 round_trippers.go:447] Date: Sat, 07 Dec 2019 14:46:08 GMT I1207 15:46:08.668000 34536 request.go:942] Response Body: {"kind":"Table","apiVersion":"meta.k8s.io/v1beta1","metadata":{"selfLink":"/api/v1/namespaces/test-event-logger/events","resourceVersion":"2446279"},"columnDefinitions":[{"name":"Last Seen","type":"string","format":"","description":"The time at which the most recent occurrence of this event was recorded.","priority":0},{"name":"Type","type":"string","format":"","description":"Type of this event (Normal, Warning), new types could be added in the future","priority":0},{"name":"Reason","type":"string","format":"","description":"This should be a short, machine understandable string that gives the reason for the transition into the object's current status.","priority":0},{"name":"Object","type":"string","format":"","description":"The object that this event is about.","priority":0},{"name":"Subobject","type":"string","format":"","description":"If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[ [truncated 43265 chars] I1207 15:46:08.669398 34536 get.go:568] no kind "Table" is registered for version "meta.k8s.io/v1beta1" in scheme "k8s.io/kubernetes/pkg/api/legacyscheme/scheme.go:29" LAST SEEN TYPE REASON OBJECT MESSAGE 41m Normal Scheduled pod/event-logger-example-eventlogger-axhxkqfd Successfully assigned test-event-logger/event-logger-example-eventlogger-axhxkqfd to worker2.g01.containerize.ch 39m Normal Pulling pod/event-logger-example-eventlogger-axhxkqfd Pulling image "quay.io/bakito/k8s-event-logger:v0.1.0" 39m Normal Pulled pod/event-logger-example-eventlogger-axhxkqfd Successfully pulled image "quay.io/bakito/k8s-event-logger:v0.1.0"

[bakito]

Getting the latest revision was not limitted to the watch namespace. Hence a cluster role was required.