GKE - cannot list resource \"secrets\" in API group \"\" at the cluster scope"

[tasnyccbs]

Describe the bug
Running ESO in GKE pulling from Google secrets manager. I am only using namespaced (kind: SecretStore & kind: ExternalSecret )level secrets and no clusterlevel. From the documentation, by setting scopedRBAC: true and scopedNamespace: my-namespace this should only look within the my-namespace namespace but for some reason when looking at the logs of the controller in the namespace i see

"Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.1/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:my-namespace:my-ksa\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError"

Also getting "Reconciler error" in logs which i believe is related.

I am not sure why its looking at the cluster scope at all, but constantly getting this error which sometimes causes a pod restart.

To Reproduce
I have three GKE clusters and getting the same errors in each namespace

Expected behavior
I would assume It doesn't need to list from cluster scope since only running in namespace.
If that is in fact the default behavior , it seems to be missing a ClusterRole and ClusterRoleBinding or this is a bug and shouldn't be looking there at all

Additional context
For now to stop it from erroring i have set extraObjects in the values file creating the ClusterRole and ClusterRoleBinding it's requesting for. Unless I'm setting something wrong I feel I shouldn't have to set this.
With all that said, despite the errors eso is working as intended.
Here is what I added for the errors to stop.

extraObjects:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-cluster-role-fix
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets-cluster-rolebindin-fix
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-cluster-role-cribl-fix
subjects:
- kind: ServiceAccount
name: eso-ksa
namespace: my-namespace

Maybe i'm doing something wrong, maybe its something with GKE as I am not having these issues with microk8s in home lab. Hopefully it's not something stupid on my end.
Thanks for the help!

[Skarlso]

Hmm... Can you take a look at the RBAC for the ESO service account? It should be set to this:

{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}

Should be called this name: {{ include "external-secrets.fullname" . }}-controller.

If its has the right scope, there some kind of problem. :)

Also, can you show how you installed ESO?

[tasnyccbs]

Let me give you more details. We are using version 0.14.3 (latest)

CRDs
I install the CRD's separately in its own namespace (external-secrets).
I override the following from the defaults with my own values file for CRDs installs and upgrades ( some are already defaults but like to set them to make it more visible )

installCRDs: true
createOperator: false
serviceAccount:
  # -- Specifies whether a service account should be created.
  create: false
rbac:
  # -- Specifies whether role and rolebinding resources should be created.
  create: false
certController:
  # -- Specifies whether a certificate controller deployment be created.
  create: true
webhook:
  # -- Specifies whether a webhook deployment be created.
  create: true

I have also switch rbac to true to test, but that still didn't fix the issue as I was trying all different combinations of changes to get it not to error in the logs.

Please note that i only helm install the crd's in this namespace using these values which just adds the cert and webhook deployments . The crds are are cluster wide. I also don't need webhooks but had to enable it about a year ago as we were troubleshooting slowness on a GKE cluster with Google support and found eso was making calls slowing it down. Once enabled webhook the problem went away.

Namespaced:
On different namespaces we helm deploy our applications using pretty much these overrides with our own values file.
Using GCP workload identity, giving roles/perms to the GSA passed down to the NAMESPACE:KSA in K8s.
This is just an example as we have different GSA's and KSA's in each namespace.

# Dependencies - Chart.yaml
external-secrets:
  installCRDs: false 
  scopedRBAC: true
  scopedNamespace: mynamespace
  serviceAccount:
    # -- Specifies whether a service account should be created.
    create: true
    name: eso-ksa-mynamespace
    annotations:
      iam.gke.io/gcp-service-account: eso-gsa@my-gcp-project.iam.gserviceaccount.com
  certController:
    # -- Specifies whether a certificate controller deployment be created.
    create: false
  webhook:
    # -- Specifies whether a webhook deployment be created.
    create: false

As for your initial question, if i remove the extraObjects from my values file, which was my workaround to stop the errors and run a helm template it creates a kind: Role and kind: RoleBinding only which is what we expected since only namespaced scope.

Here they are :
Role:

# Source: mynamespace/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mynamespace-dev-test-external-secrets-controller
  namespace: "mynamespace"
  labels:
    helm.sh/chart: external-secrets-0.14.3
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: mynamespace-dev-test
    app.kubernetes.io/version: "v0.14.3"
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "secretstores"
    - "clustersecretstores"
    - "externalsecrets"
    - "clusterexternalsecrets"
    - "pushsecrets"
    verbs:
    - "get"
    - "list"
    - "watch"
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "externalsecrets"
                                                                                                                                         57,43          5%
    resources:
    - "configmaps"
    verbs:
    - "get"
    - "list"
    - "watch"
  - apiGroups:
    - ""
    resources:
    - "secrets"
    verbs:
    - "get"
    - "list"
    - "watch"
    - "create"
    - "update"
    - "delete"
    - "patch"
  - apiGroups:
    - ""
    resources:
    - "serviceaccounts/token"
    verbs:
    - "create"
  - apiGroups:
    - ""
    resources:
    - "events"
    verbs:
    - "create"
    - "patch"
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "externalsecrets"
    verbs:
    - "create"
    - "update"
    - "delete"
---

RoleBinding:

# Source: mynamespace/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mynamespace-dev-test-external-secrets-controller
  namespace: "mynamespace"
  labels:
    helm.sh/chart: external-secrets-0.14.3
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: mynamespace-dev-test
    app.kubernetes.io/version: "v0.14.3"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mynamespace-dev-test-external-secrets-controller
subjects:
  - name: eso-ksa-mynamespace
    namespace: mynamespace
    kind: ServiceAccount
---

On another maybe related question i'm not sure why this ClusterRole gets created as it doesn't seem to bind to anything that i can see.

# Source: mynamespace/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mynamespace-dev-test-external-secrets-servicebindings
  labels:
    servicebinding.io/controller: "true"
    helm.sh/chart: external-secrets-0.14.3
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: mynamespace-dev-test
    app.kubernetes.io/version: "v0.14.3"
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "externalsecrets"
    verbs:
    - "get"
    - "list"
    - "watch"
---

This is from the the default values file rbac.servicebinding = true which is set HERE

I've been banging my head on my desk the last couple of days trying to figure out if i have some values set wrong that is causing this so I do appreciate you taking some time to look into this for me.

Thank you
Tas

[4sachi]

Hi @tasnyccbs, all,

I was also trying to install the ESO using scopedRBAC: true option and facing the similar issues you mentioned in the ticket. The controller Role created by the helm chart has the all the secrets permission in the namespace however ESO pod was trying to list the secrets at the cluster level. Even though, the creation of the external-secret (vault) and the k8s secret worked for me, however the secrets refresh/updates were not working.

For me, this problem was solved by setting the controller argument --enable-managed-secrets-caching=false (default is true) without providing the cluster wide secrets permissions. https://external-secrets.io/latest/api/controller-options/

After setting this argument, the errors in the logs disappeared and the creation of the external-secret and k8s secrets worked. Also the changes to the vaults secrets are updated to the k8s secrets as well.

However I am quite not sure, whether disabling this has any other effects / this is the intended use of this command line arg.

          args:
          - --namespace=tools-all-int
          - --enable-cluster-store-reconciler=false
          - --enable-cluster-external-secret-reconciler=false
          - --enable-push-secret-reconciler=false
          - --concurrent=1
          **- --enable-managed-secrets-caching=false**
          - --metrics-addr=:8080
          - --loglevel=info
          - --zap-time-encoding=epoch

Also the helm chart support for passing exterArgs to the controller. (Use quotes around the value "false", other wise the value will not become available in the args side)

extraArgs:
  enable-managed-secrets-caching: "false"

Thanks,
Sachin

[Skarlso]

I was on vacation, let me try to pick up this thread again :)

[Skarlso]

@tasnyccbs I'm not sure I understand. So after you remove the extraObjects, things are working? Or is it just that the RBAC appeared?

@4sachi that is... unexpected. Like, we don't really do anything, just start a watch loop and a cache in that thing. Nothing that we don't do otherwise. Is it the same RBAC error and setup?

I'm also wondering how no-one else is having this problem. :D

[4sachi]

Hi @Skarlso,

Thank you for checking the comment.

I have received the same errors as Tas mentioned in the ticket description. My setup is explained below,

1. Here I have installed the CRD's separately

kubectl apply -k "https://raw.githubusercontent.com/external-secrets/external-secrets/v0.14.3/deploy/crds/bundle.yaml"

2. Then installed the application with Helm chart using the scopedRBAC: true option with few others showing below.
   By this way the application can be deployed in a namespace itself, without having any cluster resources including the ClusterRole creation.

helm -n tools-all-int install my-external-secrets external-secrets-operator/external-secrets --version 0.14.3 --values values.yaml

installCRDs: false

scopedRBAC: true
scopedNamespace: tools-all-int

rbac:
  servicebindings:
    create: false

leaderElect: false

processClusterExternalSecret: false
processClusterStore: false
processPushSecret: false

webhook:
  create: false
  
certController:
  create: false

3. After the deployment, the controller was printing the error messages saying that it cannot access the secrets in cluster scope
   E0301 06:59:53.138870 1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:tools-all-int:my-external-secrets\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError"

4. Even with this error, the creation of Hashicorp vault SecretStore and ExternalSecret resource worked and the ESO created the k8s secret as well. However the updates made to the vault Secret didn't synced back to the k8s side.

5. Then I have passed the command line arg --enable-managed-secrets-caching=false from the helm chart side and this error message disappeared. Also the updates made to the Vault secrets are synced to the k8s secret as well.

extraArgs:
  enable-managed-secrets-caching: "false"

Thanks,
Sachin

[tasnyccbs]

@Skarlso The added extraObjects was just a workaround for the errors to go away .. giving it cluster access to list.
If i remove the extraObjects I still get the cluster level errors in the logs from the controller pod in the namespace.

I was just checking on an update on this issue and haven't tried --enable-managed-secrets-caching=false as of yet as it does seem like others are seeing the same issues I have been experiencing.
I'm not sure if that is just another workaround or this is something I should just set in my values file as @4sachi mentioned.

It might not be related but curious if @4sachi is also using GKE . My setup is using GKE syncing secrets from Google Secrets manager.

"I'm also wondering how no-one else is having this problem" I'm not sure.. I wouldn't be surprised users haven't looked at the controller logs because it still works despite the errors. At least for me, the kubernets secrets are being created and updated yet the logs state this error.

Thanks,
Tas

[Skarlso]

That is so weird. I'll try to create a GKE cluster and see what's up.

[4sachi]

Hi @tasnyccbs: Currently I am testing the ESO deployment in my local Kind cluster. However I am planning to deploy the ESO solution in AWS EKS cluster for syncing the secrets from the Hashicorp Vault.

Hi @Skarlso: I just reproduced the issue using the values file mentioned in my previous comment in a fresh Kind cluster as well.

Thanks,
Sachin

[Skarlso]

Thanks, I think I saw something like that when using Kind as well... there definitely is something wrong.

[Skarlso]

Okay, so the partial metadata cache is the problem. And it basically requires listing secrets on the cluster scope in order to watch them. Like @4sachi a workaround for now is to disable the managed caching. I'll see if I can make it cluster scoped.