Kubernetes local observer job fails

Kubernetes local observer job fails as ClusterRole is not created by default.

Problem

The Kubernetes local observer job fails because of no access to the Kubernetes environment. Example of an error message that gets displayed:
User "system:serviceaccount:noi:noi-service-account" cannot list resource "nodes" in API group "" at the cluster scope

Cause

Role permission is granted by Cluster admin and cannot be set by the operator. For more role or permissions, see Configuring Kubernetes Observer jobs.

Resolution

The following are the steps to resolve the failure of Kubernetes local observer:
  1. As a cluster admin, create the ClusterRole and bind it to the noi-service-account.
  2. Set your namespace by using the following command:
    export NAMESPACE=ibmnetcool
  3. Create the ClusterRole.
    cat <<EOF | oc apply -f - 
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      annotations:
      name: asm:kubernetes-observer
    rules:
    - apiGroups:
        - ''
      resources:
        - nodes
        - services
        - namespaces
        - pods
        - endpoints
        - persistentvolumeclaims
        - persistentvolumes
      verbs:
        - list
        - get  
    - apiGroups:
        - apps
      resources:
        - deployments
        - replicasets
        - statefulsets
        - daemonsets
      verbs:
        - list
        - get
    EOF
  4. Create the binding by using the following command:
    oc create clusterrolebinding ${NAMESPACE:-netcool}-kubernetes-observer --clusterrole=asm:kubernetes-observer --serviceaccount=${NAMESPACE:-netcool}:noi-service-account