Namespaced ray operator has not enough permission

Ray Clusters
1

I use helm to generate a namespaced ray operator and deployed to kubernetes (with ray 1.12.0)

But I always got this:

Not enough permissions to watch for resources: changes (creation/deletion/updates) will not be noticed; the resources are only refreshed on operator restarts.
Not enough permissions to list namespaces. Falling back to a list of namespaces which are assumed to exist: {'ray-test'}
Not enough permissions to watch for namespaces: changes (deletion/creation) will not be noticed; the namespaces are only refreshed on operator restarts.

Any one knows what permission I shall give? Isn’t the permissions in the heml not enough?

# Source: ray/templates/operator_namespaced.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ray-operator-serviceaccount
  namespace: ray-test
---
# Source: ray/templates/operator_namespaced.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ray-operator-role
  namespace: ray-test
rules:
- apiGroups: ["", "cluster.ray.io"]
  resources: ["rayclusters", "rayclusters/finalizers", "rayclusters/status", "pods", "pods/exec", "services"]
  verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
- apiGroups: [""]
  resources: [events]
  verbs: [create]
---
# Source: ray/templates/operator_namespaced.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ray-operator-rolebinding
  namespace: ray-test
subjects:
- kind: ServiceAccount
  name: ray-operator-serviceaccount
  namespace: ray-test
roleRef:
  kind: Role
  name: ray-operator-role
  apiGroup: rbac.authorization.k8s.io
---
# Source: ray/templates/operator_namespaced.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ray-operator
  namespace: ray-test
spec:
  replicas: 1
  selector:
    matchLabels:
      cluster.ray.io/component: operator
  template:
    metadata:
      labels:
        cluster.ray.io/component: operator
    spec:
      serviceAccountName: ray-operator-serviceaccount
      containers:
      - name: ray
        imagePullPolicy: Always
        image: rayproject/ray:1.12.0
        command: ["ray-operator"]
        env:
        - name: RAY_OPERATOR_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: AUTOSCALER_MAX_NUM_FAILURES
          value: "inf"
        resources:
          requests:
            cpu: 1
            memory: 1Gi
            ephemeral-storage: 1Gi
          limits:
            memory: 2Gi
            cpu: 1
2

Ok, it turns out the user in the pod is not ray because of some k8s cluster policy. Changed to ray then it works.

3

Thanks @soloman817 , please let us know if you still need any help.

4

Thanks, it works and the reason is the user should be ray . But the logging is a bit misleading. I can understand it has no namespace permission (because I’m deploying a namespaced operator), but the other two logs are a little bit misleading.