[BUG] Setting manager.watchNamespace cause controller error logs spamming #1075
Description
What is the bug?
Setting manager.watchNamespace cause controller error logs spamming about
not having permissions to list resources at cluster scope regardless of option useRoleBindings: false or useRoleBindings: true.
How can one reproduce the bug?
helm install opensearch-operator opensearch-operator/opensearch-operator -n opensearch --version 2.8.0 --set manager.watchNamespace=opensearch
What is the expected behavior?
It should work as intended.
What is your host/environment?
aws eks 1.32
helm version v3.13.1
Do you have any additional context?
chart version 2.8.0
error log example
E0826 10:08:22.781557 1 reflector.go:200] "Failed to watch" err="failed to list *v1.OpensearchUserRoleBinding: opensearchuserrolebindings.opensearch.opster.io is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"opensearchuserrolebindings\" in API group \"opensearch.opster.io\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.OpensearchUserRoleBinding"
E0826 10:08:22.904770 1 reflector.go:200] "Failed to watch" err="failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"pods\" in API group \"\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.Pod"
E0826 10:08:24.175771 1 reflector.go:200] "Failed to watch" err="failed to list *v1.OpensearchRole: opensearchroles.opensearch.opster.io is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"opensearchroles\" in API group \"opensearch.opster.io\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.OpensearchRole"
E0826 10:08:24.952954 1 reflector.go:200] "Failed to watch" err="failed to list *v1.OpenSearchISMPolicy: opensearchismpolicies.opensearch.opster.io is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"opensearchismpolicies\" in API group \"opensearch.opster.io\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.OpenSearchISMPolicy"
E0826 10:08:25.631915 1 reflector.go:200] "Failed to watch" err="failed to list *v1.Deployment: deployments.apps is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.Deployment"
E0826 10:08:25.939515 1 reflector.go:200] "Failed to watch" err="failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"secrets\" in API group \"\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.Secret"
E0826 10:08:26.230250 1 reflector.go:200] "Failed to watch" err="failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.Service"
E0826 10:08:26.324623 1 reflector.go:200] "Failed to watch" err="failed to list *v1.OpensearchUser: opensearchusers.opensearch.opster.io is forbidden: User \"system:serviceaccount:opensearch:opensearch-operator-controller-manager\" cannot list resource \"opensearchusers\" in API group \"opensearch.opster.io\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.OpensearchUser"