Incorrect RBAC rules in examples/rbac/rbac.yml

[indradhanush]

When applying kubectl apply -f example/rbac/ the following error is seen in the operator logs:

ERROR: logging before flag.Parse: E0329 10:21:22.529618       1 reflector.go:205] github.com/kinvolk/habitat-operator/pkg/controller/controller.go:126: Failed to list *v1beta1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:default:habitat-operator" cannot list deployments.apps at the cluster scope

On adding the following to examples/rbac/rbac.yml, and running kubectl apply, the error is fixed:

  - apps
  resources:
    - deployments
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]```

[indradhanush]

I used minikube for testing this:

minikube start --kubernetes-version v1.9.4 --extra-config=apiserver.Authorization.Mode=RBAC && eval $(minikube docker-env)

[krnowak]

I have tested it with kube-spawn using my own docker image with habitat-operator built from current master (f4f27e7, docker image - docker.io/krnowak/habitat-operator:latest). It worked fine.

So, I think the reason behind this issue is that you applied RBAC rules from the master branch (that now handles stateful sets instead of deployments) and created habitat operator deployment that used docker.io/kinvolk/habitat-operator:v0.5.1, which contains the latest release of habitat-operator, but it handles deployments, not stateful sets though - habitat operator that handles stateful sets was not yet released.

So, this is something to remember - next time maybe do something like:

make HUB=docker.io DOCKER_ORG=<your-org> TAG=latest image
docker push docker.io/<your-org>/habitat-operator:latest
sed -i -e 's/image: .*/image: <your-org>\/habitat-operator:latest/' examples/rbac/habitat-operator.yml
kubectl apply -f examples/rbac/

So I think we can close this issue. But the issue gave me some idea for which I'll open a new one.

[krnowak]

See #228.

[indradhanush]

Verified using your suggestion and it works. Thanks. Sorry for not being thorough with this.