Watch namespaceselector doesnt have rbacs created #7617
Description
Description:
From Namespace scoped gateway implementation feature , how is it supposed to have permissions for the selected namespace through label? Is it supposed to create a clusterrole where "namespaceselector" is watched instead of a list of namespaces?
Was it expected that the namespace owners create the rbac separately? I couldnt find any documentation around it. But I see that only watch.type = namespaces is handled under the rbac template.
Repro steps:
- Install EG with namespacescoped config
envoy-gateway:
config:
envoyGateway:
admin:
address:
port: 19000
provider:
type: Kubernetes
kubernetes:
deploy:
type: GatewayNamespace
watch:
type: NamespaceSelector
namespaceSelector:
matchLabels:
gateway: enabled # limit namespaces to only those with the label
- Install sample deployment and gateway for a namespace which has label
gateway: enabled - The gateway deployment is not created.
- The EG controplane has below logs
{"runner": "infrastructure", "error": "failed to create or update serviceaccount podinfo-test/echo-gateway: failed to create/update resource with server-side apply for obj &ServiceAccount{ObjectMeta:{echo-gateway podinfo-test 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[app.kubernetes.io/component:proxy app.kubernetes.io/managed-by:envoy-gateway app.kubernetes.io/name:envoy gateway.envoyproxy.io/owning-gateway-name:echo-gateway gateway.envoyproxy.io/owning-gateway-namespace:podinfo-test gateway.networking.k8s.io/gateway-name:echo-gateway] map[] [{gateway.networking.k8s.io/v1 Gateway echo-gateway 72fd45d3-89ae-4ef8-be69-0772a2081982 <nil> <nil>}] [] []},Secrets:[]ObjectReference{},ImagePullSecrets:[]LocalObjectReference{},AutomountServiceAccountToken:*false,}: serviceaccounts \"echo-gateway\" is forbidden: User \"system:serviceaccount:envoy-gateway-system:envoy-gateway\" cannot patch resource \"serviceaccounts\" in API group \"\" in the namespace \"podinfo-test\""}