cluster-manager-xxx-webhook-sa cannot list resources for missing permission

[captainroy-hy]

In a hub cluster, cluster-manager-work-webhook outputs below error log

reflector.go:138]] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-work-webhook-sa" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

and cluster-manager-registration-webhook outputs similar error

reflector.go:138] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-registration-webhook-sa" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope                                             
reflector.go:138] k8s.io/client-go@v0.21.0-rc.0/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-hub:cluster-manager-registration-webhook-sa" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope 

image: quay.io/open-cluster-management/registration:latest (SHA256: 9a9db2eb9c8a)
clustermanager csv 0.4.0

[captainroy-hy]

Close.
open-cluster-management-io/community#40 (comment)