[Bug] : RBAC Permissions

[junskeep]

Checklist

• I've searched for similar issues and couldn't find anything matching
• I've included steps to reproduce the behavior

Affected Components

• K8sGPT (CLI)
• K8sGPT Operator

K8sGPT Version

v0.0.22

Kubernetes Version

v1.26.8 (EKS)

Host OS and its Version

No response

Steps to reproduce

Previously, I installed and used the CLI with the operator, but I modified the configuration file by activating Slack. There was no notification in the slack, and this error occurred in the operator pod.

Expected behaviour

Successful Slack Notification

Actual behaviour

k logs -n k8sgpt-operator-system pod/release-k8sgpt-operator-controller-manager-748c47b497-mfp4q

Finished Reconciling k8sGPT with error: [clusterroles.rbac.authorization.k8s.io](http://clusterroles.rbac.authorization.k8s.io/) "k8sgpt" is forbidden: user "system:serviceaccount:k8sgpt-operator-system:release-k8sgpt-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:k8sgpt-operator-system" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["[apiextensions.k8s.io](http://apiextensions.k8s.io/)"], Resources:[""], Verbs:[""]}
2023-10-26T07:37:18Z ERROR Reconciler error {"controller": "k8sgpt", "controllerGroup": "[core.k8sgpt.ai](http://core.k8sgpt.ai/)", "controllerKind": "K8sGPT", "K8sGPT": {"name":"k8sgpt-sample","namespace":"k8sgpt-operator-system"}, "namespace": "k8sgpt-operator-system", "name": "k8sgpt-sample", "reconcileID": "50807cd7-8c6a-404d-bebb-6d05d2856f37", "error": "[clusterroles.rbac.authorization.k8s.io](http://clusterroles.rbac.authorization.k8s.io/) "k8sgpt" is forbidden: user "system:serviceaccount:k8sgpt-operator-system:release-k8sgpt-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:k8sgpt-operator-system" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:["[apiextensions.k8s.io](http://apiextensions.k8s.io/)"], Resources:[""], Verbs:[""]}"}
[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324
[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265
[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226``

Additional Information

I followed the existing guide, and I also proceeded with the reinstallation, but I couldn't solve it.

[AlexsJones]

I believe this occurs on an upgrade scenario as we have modified the rbac completely
Can you please try to uninstall the release completely then install?

Alternatively run this step

git clone https://github.com/k8sgpt-ai/k8sgpt-operator.git
cd k8sgpt-operator
make undeploy
make uninstall

Let me know how you get on

[jiuan111]

I add below rbac rule to the clusterrole "xxx-manager-role", problem solved

• verbs:
  • '*'
    apiGroups:
  • apiextensions.k8s.io
    resources:
  • '*'

[junskeep]

Thank you. I will continue to help K8sGpt become a better open source through many tests.

[arbreezy]

@AlexsJones I was thinking that it makes sense to remove cluster role and cluster role binding from our code base and move it as part of the helm chart, wdyt ?

[arbreezy]

@junskeep can you share your K8sGPT manifest please?
Slack support shouldn't trigger this error, I will prepare a fix in the upcoming release to handle RBAC from the Helm chart.

[arbreezy]

The actual issue is coming from K8s behavior with updating/creating roles. The RBAC API prevents users from escalating privileges by editing roles or role bindings. Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use.

[junskeep]

There were no modifications other than this code.

apiVersion: core.k8sgpt.ai/v1alpha1
kind: K8sGPT
metadata:
  name: k8sgpt-sample
  namespace: k8sgpt-operator-system
spec:
  ai:
    enabled: true
    model: gpt-3.5-turbo
    backend: openai
    secret:
      name: k8sgpt-sample-secret
      key: openai-api-key
    # anonymized: false
    # language: Korean 
  noCache: false
  version: v0.3.17
  #integrations:
  # trivy:
  #  enabled: true
  #  namespace: trivy-system
  # filters:
  #   - Ingress
  sink:
    type: slack
    webhook: https://hooks.slack.com/services/${webhookURL}
  # extraOptions:
  #   backstage:
  #     enabled: true

[arbreezy]

I raised a PR to fix the RBAC and in the meantime we can work on this feature to manage RBAC controls from Helm
#259

[arbreezy]

There is a fix now, please upgrade to latest operator's version.