kic controller fails with watchNamespaces: cannot list resource endpointslices in API group discovery.k8s.io in the namespace

[jijiechen]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The KIC pod enters a CrashLoopBackOff:

$ kubectl logs -n kic              kic-ingress-controller-5c7c599688-pv5wl -f
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "KongCustomEntity", "enabled": true}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "CombinedServicesFromDifferentHTTPRoutes", "enabled": false}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "GatewayAlpha", "enabled": false}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "FillIDs", "enabled": true}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "RewriteURIs", "enabled": false}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "KongServiceFacade", "enabled": false}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "SanitizeKonnectConfigDumps", "enabled": true}
2025-04-17T08:30:08Z	info	Found configuration option for gated feature	{"v": 0, "feature": "FallbackConfiguration", "enabled": false}
2025-04-17T08:30:08Z	info	Diagnostics disabled	{"v": 0}
2025-04-17T08:30:08Z	info	setup	Starting controller manager	{"v": 0, "release": "NOT_SET", "repo": "NOT_SET", "commit": "NOT_SET"}
2025-04-17T08:30:08Z	info	setup	The ingress class name has been set	{"v": 0, "value": "kic"}
2025-04-17T08:30:08Z	info	setup	Getting the kubernetes client configuration	{"v": 0}
W0417 08:30:08.122433       1 client_config.go:667] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2025-04-17T08:30:08Z	info	setup	Getting the kong admin api client configuration	{"v": 0}
W0417 08:30:08.122521       1 client_config.go:667] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
Error: failed to create manager: failed to create manager: unable to build kong api client(s): All attempts fail:
Kong/kubernetes-ingress-controller#1: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kic:kic-ingress-controller" cannot list resource "endpointslices" in API group "discovery.k8s.io" in the namespace "kic"

Expected Behavior

The KIC controller runs successfully.

Steps To Reproduce

1. create a brand new Kubernetes cluster with kind/k3s (with commands attached below)
2. connect to the cluster and try to install KIC


All commands:


k3d cluster create   # this lanches a cluster using this image: rancher/k3s:v1.31.4-k3s1
kubectl create ns kuma-test

helm install kic-ingress --namespace kic --create-namespace \
  		--repo https://charts.konghq.com --version 0.19.0 \
		--set controller.ingressController.watchNamespaces={kuma-test} \
		--set controller.ingressController.ingressClass=kic \
		ingress

Kong Ingress Controller version

helm chart 0.19.0

Kubernetes version

v1.31.1, tested on kind and k3d

Anything else?

No response

[jijiechen]

Thanks @randmonkey for helping me figure out that I should also include the namespace where KIC is installed at as part of the watchNamespaces.

So my work is not blocked now and it's nice to have the KIC namespace included automatically.