Unable to add watcher: deployments.apps 'managed-master-hibernation-monitor' is forbidden

Issue

You see the following log in the logs of your operations center:

Unable to add watcher: deployments.apps "managed-master-hibernation-monitor" is forbidden: User "system:serviceaccount:cje:cjoc" cannot watch resource "deployments" in API group "apps" in the namespace "cje". Kubernetes events won't be displayed.

Note: the namespace cje may be cloudbees-core, or your chosen namespace.

Environment

Resolution

This managed-master-hibernation-monitor deployment is related to: Optimizing resources with hibernation of managed controllers

In 2.204.2.2, there were some new rules added to the system:serviceaccount:cje:cjoc role:

- apiGroups: ["apps"]
  resources: ["statefulsets","deployments"]
  verbs: ["create","delete","get","list","patch","update","watch"]

Adding the deployments to the resources here should fix the error, you will need to involve your Kubernetes administration team to make this change.

If you are encountering this error, you are likely managing your installation using the cloudbees-core.yaml instead of helm.
If you had migrated to using helm for your upgrades, you should not encounter this error.
Please follow the following documentation to migrate, and reach out to support if you have questions:

Existing CloudBees CI installations to Helm migration guide

Tested product/plugin versions

CloudBees CI - Modern Cloud Platforms - 2.235.2.3

Was this article helpful?
0 out of 0 found this helpful

Have more questions?

0 Comments

Please sign in to leave a comment.