Skip to content

[BUG] missing RBAC for kubecontrollersconfigurations when installing canal v2.39.0 #50568

New issue
New issue
Open
rancher/kontainer-driver-metadata
#1698
Open
[BUG] missing RBAC for kubecontrollersconfigurations when installing canal v2.39.0#50568
rancher/kontainer-driver-metadata
#1698
Labels
kind/bugIssues that are defects reported by users or that we know have reached a real release
@puffitos

Description

@puffitos
puffitos
opened on Jun 6, 2025

Rancher Server Setup

  • Rancher version: 2.12.2
  • Installation option (Docker install/Helm Chart): helm
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): rke1 1.32.4
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: 1.32.4
  • Cluster Type (Local/Downstream): dowstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): custom

User Information

  • What is the role of the user logged in? Admin
    • If custom, define the set of permissions:

Describe the bug

After upgrading to rancher 2.12.2 we noticed an error in the calico-kube-controllers pod in the kube-system namespace:

2025-06-06 13:08:46.131 [WARNING[][1] kube-controllers/runconfig.go 193: unable to list KubeControllersConfiguration(default) error=connection is unauthorized: kubecontrollersconfigurations.crd.projectcalico.org "default" is forbidden: User "system:serviceaccount:kube-system:calico-kube-controllers" cannot list resource "kubecontrollersconfigurations" in API group "crd.projectcalico.org" at the cluster scope

The logs are full of this warning. The cluster seems functional, but still the error may block the CNI from working properly.

The bug doesn't occur in the 3.29.0 version of the calico-controller, as this rbac seems to have introduced in a later version (see projectcalico/calico@d6dbb99 for commit fixing the issue in the calico project).

To Reproduce

  1. Update/ Install rancher 2.12.2 on an rke1 cluster (rke2 doesn't seem to have the problem), with canal/calico as your CNI.

Result

Inspect the logs of the calico-kube-controllers - it should output the warning. The clusterrole calico-kube-controllers ClusterRole should also be missing the list verb for that ressource.

Expected Result
No RBAC errors happen, as in the previous versions.

Screenshots

Additional context

The error happens because the kontainer-metadata repo has old templates for the canal 3.29.0 version (https://github.com/projectcalico/calico/blob/v3.29.0/manifests/canal.yaml) and not the up-to-date YAML for the 3.29.3 (https://github.com/projectcalico/calico/blob/v3.29.3/manifests/canal.yaml) version. Editing the repo should fix the issue?

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugIssues that are defects reported by users or that we know have reached a real release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions