Issue
You see the following log in the logs of your operations center:
Unable to add watcher: deployments.apps "managed-master-hibernation-monitor" is forbidden: User "system:serviceaccount:cje:cjoc" cannot watch resource "deployments" in API group "apps" in the namespace "cje". Kubernetes events won't be displayed.
Note: the namespace cje may be cloudbees-core, or your chosen namespace.
Environment
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
Resolution
This managed-master-hibernation-monitor deployment is related to the : Hibernation of Managed Masters feature.
In 2.204.2.2, there were some new rules added to the system:serviceaccount:cje:cjoc role:
- apiGroups: ["apps"]
resources: ["statefulsets","deployments"]
verbs: ["create","delete","get","list","patch","update","watch"]
Adding the deployments to the resources here should fix the error, you will need to involve your Kubernetes administration team to make this change.
If you are encountering this error, you are likely managing your installation using the cloudbees-core.yaml instead of helm.
If you had migrated to using helm for your upgrades, you should not encounter this error.
Please follow the following documentation to migrate, and reach out to support if you have questions:
Existing CloudBees CI installations to Helm migration guide
Tested product/plugin versions
CloudBees CI - Modern Cloud Platforms - 2.235.2.3
0 Comments