[Bug]: Wrong RBAC rules for operator installed via Helm Chart

[ganto]

Checklist

• I've searched for similar issues and couldn't find anything matching
• I've included steps to reproduce the behavior

Affected Components

• K8sGPT (CLI)
• K8sGPT Operator

K8sGPT Version

v0.0.22

Kubernetes Version

v1.26.9 (OpenShift 4.13.17)

Host OS and its Version

No response

Steps to reproduce

1. Install operator from provided Helm chart:

$ helm repo add k8sgpt https://charts.k8sgpt.ai
$ helm repo update
$ helm install release k8sgpt/k8sgpt-operator -n k8sgpt-operator --create-namespace

2. Check operator logs:

$ kubectl logs -n k8sgpt-operator -l app.kubernetes.io/name=k8sgpt-operator -c manager
2023-10-23T11:41:48Z	INFO	controller-runtime.metrics	Metrics server is starting to listen	{"addr": "127.0.0.1:8080"}
2023-10-23T11:41:48Z	INFO	setup	starting manager
2023-10-23T11:41:48Z	INFO	Starting server	{"kind": "health probe", "addr": "[::]:8081"}
2023-10-23T11:41:48Z	INFO	starting server	{"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:8080"}
I1023 11:41:48.615283       1 leaderelection.go:250] attempting to acquire leader lease k8sgpt-operator/ea9c19f7.k8sgpt.ai...
I1023 11:41:48.629791       1 leaderelection.go:260] successfully acquired lease k8sgpt-operator/ea9c19f7.k8sgpt.ai
2023-10-23T11:41:48Z	DEBUG	events	k8sgpt-operator-controller-manager-6ffc8bc49-25dds_3eca4903-f04a-4333-9790-7405b1fc392c became leader	{"type": "Normal", "object": {"kind":"Lease","namespace":"k8sgpt-operator","name":"ea9c19f7.k8sgpt.ai","uid":"c4fcc0e8-85f0-40c9-acec-7c9d7b20d4da","apiVersion":"coordination.k8s.io/v1","resourceVersion":"904465393"}, "reason": "LeaderElection"}
2023-10-23T11:41:48Z	INFO	Starting EventSource	{"controller": "k8sgpt", "controllerGroup": "core.k8sgpt.ai", "controllerKind": "K8sGPT", "source": "kind source: *v1alpha1.K8sGPT"}
2023-10-23T11:41:48Z	INFO	Starting Controller	{"controller": "k8sgpt", "controllerGroup": "core.k8sgpt.ai", "controllerKind": "K8sGPT"}
2023-10-23T11:41:48Z	INFO	Starting workers	{"controller": "k8sgpt", "controllerGroup": "core.k8sgpt.ai", "controllerKind": "K8sGPT", "worker count": 1}
Finished Reconciling k8sGPT with error: clusterroles.rbac.authorization.k8s.io "k8sgpt" is forbidden: user "system:serviceaccount:k8sgpt-operator:k8sgpt-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:k8sgpt-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["apiextensions.k8s.io"], Resources:["*"], Verbs:["*"]}
2023-10-23T13:03:09Z	ERROR	Reconciler error	{"controller": "k8sgpt", "controllerGroup": "core.k8sgpt.ai", "controllerKind": "K8sGPT", "K8sGPT": {"name":"k8sgpt-sample","namespace":"innovent-k8sgtp"}, "namespace": "innovent-k8sgtp", "name": "k8sgpt-sample", "reconcileID": "973f2a67-f160-4cfe-b54a-e3e64c9cd0e8", "error": "clusterroles.rbac.authorization.k8s.io \"k8sgpt\" is forbidden: user \"system:serviceaccount:k8sgpt-operator:k8sgpt-operator-controller-manager\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:k8sgpt-operator\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"apiextensions.k8s.io\"], Resources:[\"*\"], Verbs:[\"*\"]}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226
Finished Reconciling k8sGPT with error: clusterroles.rbac.authorization.k8s.io "k8sgpt" is forbidden: user "system:serviceaccount:k8sgpt-operator:k8sgpt-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:k8sgpt-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["apiextensions.k8s.io"], Resources:["*"], Verbs:["*"]}

Expected behaviour

Operator starts without error.

Actual behaviour

Operator fails to reconcile and cannot create ClusterRole with verbs: [*] as the permission assigned to the ServiceAccount are restricted in the verbs (see chart/operator/templates/manager-rbac.yaml#L12)

Additional Information

It would be much more transparent if the operator wouldn't create any ClusterRoles by itself but all RBAC roles are managed by the Helm chart. For an initial trial of the operator it would also be beneficial to have a read-only mode with much restricted rules.

[tpzumezawa]

Have you tried using the namespace in the examples? "-n k8sgpt-operator-system"
We are also having some issues with the installation and we noticed that currently the helm package was not "smart" enough to use another namespace different from the one in the examples

[junskeep]

I meet same error doing this code
k logs -n k8sgpt-operator-system pod/release-k8sgpt-operator-controller-manager