From a02f8318ea04f7d02a59ed2aeab7c776e4dfa503 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20CROCQUESEL?= <88554524+scrocquesel@users.noreply.github.com> Date: Fri, 21 Oct 2022 23:15:55 +0200 Subject: [PATCH 1/2] docs: add faq non clustered operator --- docs/documentation/faq.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/documentation/faq.md b/docs/documentation/faq.md index e82f33dca3..95fef934d3 100644 --- a/docs/documentation/faq.md +++ b/docs/documentation/faq.md @@ -43,4 +43,31 @@ without an update: ``` Although you might consider using `EventSources`, to handle reconciliation triggering in a smarter -way. \ No newline at end of file +way. + +### Q: How can I run an operator without cluster scope rights? + +By default, JOSDK require access to CR at cluster scope. You may not be granted such +rights and you will see some error at startup that looks like: + +```plain +io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.local.svc/apis/mygroup/v1alpha1/mycr. Message: Forbidden! Configured service account doesn't have access. Service account may have been revoked. mycrs.mygroup is forbidden: User "system:serviceaccount:ns:sa" cannot list resource "mycrs" in API group "mygroup" at the cluster scope. +``` + +To restrict the operator to a set of namesapce, you may override the namespaces watched by a reconciler +at [Reconciler-level configuration](./configuration.md#reconciler-level-configuration): + +```java +Operator operator; +Reconciler reconciler; +... +operator.register(reconciler, configOverrider -> + configOverrider.settingNamespace("mynamespace")); +``` + +Furthermore, you may not be able to list CRDs at startup which is required when `checkingCRDAndValidateLocalModel` +is `true` (`false` by default). To disable, set it to `false` at [Operator-level configuration](./configuration.md#operator-level-configuration): + +```java +ConfigurationServiceProvider.overrideCurrent(o -> o.checkingCRDAndValidateLocalModel(false)); +``` From ca19846efc54ffdd0cf64bddd64daa35d211c00f Mon Sep 17 00:00:00 2001 From: Chris Laprun Date: Fri, 21 Oct 2022 23:15:55 +0200 Subject: [PATCH 2/2] fix: wording, clarify that annotation can also be used to configure namespaces --- docs/documentation/faq.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/documentation/faq.md b/docs/documentation/faq.md index 95fef934d3..d05d21e1dc 100644 --- a/docs/documentation/faq.md +++ b/docs/documentation/faq.md @@ -47,14 +47,14 @@ way. ### Q: How can I run an operator without cluster scope rights? -By default, JOSDK require access to CR at cluster scope. You may not be granted such +By default, JOSDK requires access to CRs at cluster scope. You may not be granted such rights and you will see some error at startup that looks like: ```plain io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.local.svc/apis/mygroup/v1alpha1/mycr. Message: Forbidden! Configured service account doesn't have access. Service account may have been revoked. mycrs.mygroup is forbidden: User "system:serviceaccount:ns:sa" cannot list resource "mycrs" in API group "mygroup" at the cluster scope. ``` -To restrict the operator to a set of namesapce, you may override the namespaces watched by a reconciler +To restrict the operator to a set of namespaces, you may override which namespaces are watched by a reconciler at [Reconciler-level configuration](./configuration.md#reconciler-level-configuration): ```java @@ -64,6 +64,7 @@ Reconciler reconciler; operator.register(reconciler, configOverrider -> configOverrider.settingNamespace("mynamespace")); ``` +Note that configuring the watched namespaces can also be done using the `@ControllerConfiguration` annotation. Furthermore, you may not be able to list CRDs at startup which is required when `checkingCRDAndValidateLocalModel` is `true` (`false` by default). To disable, set it to `false` at [Operator-level configuration](./configuration.md#operator-level-configuration):