When installing ray operator with the following settings
singleNamespaceInstall: true
rbacEnable: true
crNamespacedRbacEnable: true
watchNamespace:
- xxx
we get the error
E1122 16:36:19.205328 1 reflector.go:138] go/pkg/mod/k8s.io/client-go@v0.23.0/tools/cache/reflector.go:167: Failed to watch *v1.Job: failed to list *v1.Job: jobs.batch is forbidden: User "system:serviceaccount:default:kuberay-operator" cannot list resource "jobs" in API group "batch" in the namespace "xxx"
I believe this is due to missing rules from
https://github.com/ray-project/kuberay-helm/blob/main/helm-chart/kuberay-operator/templates/multiple_namespaces_role.yaml
The batch.jobs RBAC permission is present in the cluster role equivalent here
|
- apiGroups: |
|
- batch |
|
resources: |
|
- jobs |
|
verbs: |
|
- create |
|
- delete |
|
- get |
|
- list |
|
- patch |
|
- update |
|
- watch |
When installing ray operator with the following settings
we get the error
I believe this is due to missing rules from
https://github.com/ray-project/kuberay-helm/blob/main/helm-chart/kuberay-operator/templates/multiple_namespaces_role.yaml
The
batch.jobsRBAC permission is present in the cluster role equivalent herekuberay-helm/helm-chart/kuberay-operator/templates/role.yaml
Lines 10 to 21 in 07463a1