Description of problem: The marker of KubeBuilder doesn't work if it is close to the code. And no doc announce that the marker should have the blank-line before and after them. Version-Release number of selected component (if applicable): operator-sdk version: "v1.16.0-ocp", commit: "fb8834fb343f20bfd5931c6b9e036e7b01679ca1", kubernetes version: "v1.22", go version: "go1.17.5", GOOS: "linux", GOARCH: "amd64" How reproducible: always Steps to Reproduce: 1.create one go operator memecached by https://docs.openshift.com/container-platform/4.9/operators/operator_sdk/golang/osdk-golang-tutorial.html 2. move the markers "// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;" next to code "func (r *MemcachedReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { " in controllers/memcached_controller.go like this: ' // MemcachedReconciler reconciles a Memcached object type MemcachedReconciler struct { client.Client Log logr.Logger Scheme *runtime.Scheme } // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. // TODO(user): Modify the Reconcile function to compare the state specified by // the Memcached object against the actual cluster state, and then // perform operations to make the cluster state reflect the state specified by // the user. // // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.7.0/pkg/reconcile // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; func (r *MemcachedReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("memcached", req.NamespacedName) // Fetch the Memcached instance memcached := &cachev1alpha1.Memcached{} err := r.Get(ctx, req.NamespacedName, memcached) if err != nil { ...... 3.make manifests Actual results: 1. The generated config/rbac/role.yaml doesn't have the apps,pods related content. The role.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: manager-role rules: - apiGroups: - cache.example.com resources: - memcacheds verbs: - create - delete - get - list - patch - update - watch - apiGroups: - cache.example.com resources: - memcacheds/finalizers verbs: - update - apiGroups: - cache.example.com resources: - memcacheds/status verbs: - get - patch - update Expected results: 1. generate the yaml file with the apps,pods related content. Or notice the customers that the marker should have the blank-line before and after them like this (black line after the marker): ` .............. Scheme *runtime.Scheme } // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/finalizers,verbs=update // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // Reconcile is part of the main kubernetes reconciliation loop which aims to ........... ` The expected role.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: manager-role rules: - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - cache.example.com resources: - memcacheds verbs: - create - delete - get - list - patch - update - watch - apiGroups: - cache.example.com resources: - memcacheds/finalizers verbs: - update - apiGroups: - cache.example.com resources: - memcacheds/status verbs: - get - patch - update - apiGroups: - "" resources: - pods verbs: - get - list Additional info:
Confirmed this happens. Looking at what the requirements are for these markers are.
This is a known issue with `controller-gen`. https://github.com/kubernetes-sigs/controller-tools/issues/436
Another related issue with controller-gen https://github.com/kubernetes-sigs/controller-tools/issues/551
Added an FAQ upstream to mention this known issue. We will not be fixing this in operator-sdk.
This is merged into upstream master now. Once released it can be seen in the upstream sdk FAQ document: https://master.sdk.operatorframework.io/docs/faqs/
verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069