OCP4: Kiali Operator 2.1–2.4 fails to install

Solution Verified - Updated -

Issue

  • Installing Kiali Operator v2.1–2.4 and creating a Kiali CR with spec.version: v1.73 fails. The operator attempts to create the kiali-controlplane Role/ClusterRole but receives 403 Forbidden because it tries to grant RBAC permissions it does not hold.
  • Typical error (from the operator log / install task):
ESC[0;32m                "message": "Failed to create object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"roles.rbac.authorization.k8s.io \\\\\"kiali-controlplane\\\\\" is forbidden: user \\\\\"system:serviceaccount:openshift-operators:kiali-operator\\\\\" (groups=[\\\\\"system:serviceaccounts\\\\\" \\\\\"system:serviceaccounts:openshift-operators\\\\\" \\\\\"system:authenticated\\\\\"]) is attempting to grant RBAC permissions not currently held:\\\\n{APIGroups:[\\\\\"\\\\\"], Resources:[\\\\\"secrets\\\\\"], ResourceNames:[\\\\\"cacerts\\\\\"], Verbs:[\\\\\"get\\\\\"]}\\\\n{APIGroups:[\\\\\"\\\\\"], Resources:[\\\\\"secrets\\\\\"], ResourceNames:[\\\\\"istio-ca-secret\\\\\"], Verbs:[\\\\\"get\\\\\"]}\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"kiali-controlplane\",\"group\":\"rbac.authorization.k8s.io\",\"kind\":\"roles\"},\"code\":403}
  • ClusterRoleBinding kiali-controlplane exists but the ClusterRole itself did not, which leads to the same failure.

Environment

  • Red Hat OpensShift Container Platform (RHOCP) 4.14+
  • Kiali 2.1-2.4
  • Kiali server (spec.version): v1.73

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content