Description of problem: Can't deploy jenkins-ephemeral-monitored template via the web console Version-Release number of selected component (if applicable): 4.3.0 How reproducible: Always Steps to Reproduce: 1. Try to deploy jenkins-ephemeral-monitored template via the web console Actual results: InstantiateFailure error: servicemonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:openshift-infra:template-instance-controller" cannot create resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "xyz" Expected results: Should deploy Additional info:
The TemplateInstance controller is intentionally limited in the types of objects it is allowed to create. Only core k8s workload resources are in the template instance controller's RBAC, and we do not intend on adding additional CRD-based resources in the future. The recommended course of action in this situation is to create a new ClusterRole and aggregate it to the `edit` and `admin` roles [1]. When the template is instantiated, the template instance controller will effectively inherit these permissions and should be able to create these resources. Quoting the article: > If you are not comfortable granting these permissions to users directly, it is not safe to grant them to the template controllers. [1] https://access.redhat.com/articles/4220601