Strimzi Phased Upgrade Error When Kafka Cluster Has NodePort Listeners

[tsengph]

I followed the Strimzi blog post “Phased upgrades of Strimzi managed Kafka fleets”:
🔗 https://strimzi.io/blog/2025/04/10/phased-strimzi-upgrade-example/

Everything works great using the example cluster configuration from the guide:
🔗 https://github.com/tomncooper/strimzi-phased-upgrade/blob/main/tests/kafka-A.yaml

However, when I add a NodePort listener to the Kafka cluster, the Strimzi Operator fails with an exception while creating the ClusterRoleBinding.

...
    listeners:
      - configuration:
          bootstrap:
            nodePort: 31012
        name: external
        port: 9094
        tls: false
        type: nodeport
...

The operator log shows that it was looking for a strimzi-kafka-broker ClusterRole:

2025-10-22 22:22:25 DEBUG AbstractNonNamespacedResourceOperator:85 - Reconciliation #18(watch) Kafka(kafka/kafka-a): ClusterRoleBinding strimzi-kafka-kafka-a-kafka-init does not exist, creating it
2025-10-22T22:22:25.396932535Z 2025-10-22 22:22:25 DEBUG AbstractNonNamespacedResourceOperator:190 - Reconciliation #18(watch) Kafka(kafka/kafka-a): Caught exception while creating ClusterRoleBinding strimzi-kafka-kafka-a-kafka-init
2025-10-22T22:22:25.396955790Z io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.208.0.1:443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings. Message: clusterroles.rbac.authorization.k8s.io "strimzi-kafka-broker" not found.
...

In my setup, I’ve renamed the ClusterRoles with a version suffix to support multiple Strimzi operators in the same Kubernetes cluster:

❯ kubectl get clusterrole | grep strimzi
strimzi-cluster-operator-global-0-39-0
strimzi-cluster-operator-leader-election-0-39-0
strimzi-cluster-operator-namespaced-0-39-0
strimzi-cluster-operator-watched-0-39-0
strimzi-entity-operator-0-39-0
strimzi-kafka-broker-0-39-0
strimzi-kafka-client-0-39-0

It seems the operator still hardcodes the role name strimzi-kafka-broker when trying to create the ClusterRoleBinding.

❓ Question:
Is there any environment variable or configuration option that allows the Strimzi Operator to reference a different ClusterRole name (e.g., strimzi-kafka-broker-0-39-0)?

I also tried manually creating the ClusterRoleBinding, but the operator still failed to proceed:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-kafka-kafka-a-kafka-init
subjects:
  - kind: ServiceAccount
    name: kafka-a-kafka
    namespace: kafka
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-broker-0-39-0
  apiGroup: rbac.authorization.k8s.io

Any suggestions on how to handle this when running multiple Strimzi operators in the same cluster?

[scholzj]

No, the ClusterRoles used for delegation cannot be renamed (those are the ones with delegation in the name: https://github.com/strimzi/strimzi-kafka-operator/tree/main/install/cluster-operator). You have to use their original names. Their content changes relatively rarely, but when it changes, you should make sure you include all the rights required by any version you use. In general, I would probably recommend the same approach for all the ClusterRoles and renaming only the ClusterRoleBindings. But it is strictly needed only for the 3 delegation ones.