VictoriaMetrics · f41gh7 · Dec 5, 2024 · Dec 3, 2024 · Dec 3, 2024 · Dec 4, 2024
@@ -587,7 +587,7 @@ func (cr VMAgent) IsOwnsServiceAccount() bool {
 }
 
 func (cr VMAgent) GetClusterRoleName() string {
-	return fmt.Sprintf("monitoring:vmagent-cluster-access-%s", cr.Name)
+	return fmt.Sprintf("monitoring:%s:vmagent-%s", cr.Namespace, cr.Name)
 }
 
 func (cr VMAgent) GetNSName() string {

@@ -13,19 +13,20 @@ aliases:
 
 ## tip
 
+- [alerts]: added cluster label for multicluster alerts.
+- [vmagent](https://docs.victoriametrics.com/operator/resources/vmagent/): change the default ClusterRole and ClusterRoleBinding name to avoid resource collisions when `vmagentSpec.ServiceAccountName` is null. See [this issue](https://github.com/VictoriaMetrics/operator/issues/891).
 - [vmoperator](https://docs.victoriametrics.com/operator/): bump default version of VictoriaMetrics components to [1.107.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.107.0).
+- [vmoperator](https://docs.victoriametrics.com/operator/): fix the behaviors of `vmagentSpec.ScrapeConfigSelector` and `vmagentSpec.scrapeConfigNamespaceSelector` when `vmagentSpec.selectAllByDefault=false`. Previously, the VMScrapeConfig could be ignored.
+- [vmoperator](https://docs.victoriametrics.com/operator/): fix the behaviors of `xxxNamespaceSelector` when `vmagentSpec.selectAllByDefault=true`. See [this doc](https://docs.victoriametrics.com/operator/resources/vmagent/#scraping) for detailed rules.
 
 ## [v0.50.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.50.0) - 22 Nov 2024
 
 - [vmoperator](https://docs.victoriametrics.com/operator/): add missing `container` labels to the metrics discovered with `VMServiceScrape` for `endpointslices` discovery role.
 - [vmoperator](https://docs.victoriametrics.com/operator/): bump default version of VictoriaMetrics components to [1.106.1](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.106.1).
 - [vmoperator](https://docs.victoriametrics.com/operator/): add new variable `VM_VMSERVICESCRAPEDEFAULT_ENFORCEENDPOINTSLICES` to use `endpointslices` instead of `endpoints` as discovery role for VMServiceScrape when generate scrape config for VMAgent.
 - [vmoperator](https://docs.victoriametrics.com/operator/): adds new flag `loggerJSONFields` to the operator logger configuration. It allows to change json encoder fields. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1157) for details.
-- [vmoperator](https://docs.victoriametrics.com/operator/): fix the behaviors of `vmagentSpec.ScrapeConfigSelector` and `vmagentSpec.scrapeConfigNamespaceSelector` when `vmagentSpec.selectAllByDefault=false`. Previously, the VMScrapeConfig could be ignored.
-- [vmoperator](https://docs.victoriametrics.com/operator/): fix the behaviors of `xxxNamespaceSelector` when `vmagentSpec.selectAllByDefault=true`. See [this doc](https://docs.victoriametrics.com/operator/resources/vmagent/#scraping) for detailed rules.
 - [api](https://docs.victoriametrics.com/operator/api): adds new status field `observedGeneration`. See [this issue](https://github.com/VictoriaMetrics/operator/issues/1155) for details.
 - [api](https://docs.victoriametrics.com/operator/api): unify `updateStatus` field for CRD objects. It replaces `status`, `clusterStatus` and `singleStatus` for `VLogs`, `VMCluster` and `VMSingle` with generic `updateStatus`.
-- [alerts]: added cluster label for multicluster alerts.
 
 ## [v0.49.1](https://github.com/VictoriaMetrics/operator/releases/tag/v0.49.1) - 11 Nov 2024
 

@@ -142,8 +142,22 @@ func ensureVMAgentCRExist(ctx context.Context, cr *vmv1beta1.VMAgent, rclient cl
 	clusterRole := buildVMAgentClusterRole(cr)
 	var existsClusterRole rbacv1.ClusterRole
 
-	if err := rclient.Get(ctx, types.NamespacedName{Name: clusterRole.Name, Namespace: cr.Namespace}, &existsClusterRole); err != nil {
+	if err := rclient.Get(ctx, types.NamespacedName{Name: clusterRole.Name}, &existsClusterRole); err != nil {
 		if errors.IsNotFound(err) {
+			// check for possible legacy ClusterRole and clean it, see https://github.com/VictoriaMetrics/operator/pull/1176
+			var orphanedClusterRole rbacv1.ClusterRole
+			err = rclient.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("monitoring:vmagent-cluster-access-%s", cr.Name)}, &orphanedClusterRole)
+			if err != nil {
+				logger.WithContext(ctx).Error(err, "failed to check legacy ClusterRole", "vmagent", cr.Name, "namespace", cr.Namespace)
+			}
+			if orphanedClusterRole.Name != "" {
+				finalize.RemoveFinalizer(ctx, rclient, &orphanedClusterRole)
+				err = rclient.Delete(ctx, &orphanedClusterRole)
+				if err != nil {
+					logger.WithContext(ctx).Error(err, "failed to cleanup legacy ClusterRole", "vmagent", cr.Name, "namespace", cr.Namespace)
+				}
+			}
+
 			return rclient.Create(ctx, clusterRole)
 		}
 		return fmt.Errorf("cannot get exist cluster role for vmagent: %w", err)
@@ -172,8 +186,22 @@ func ensureVMAgentCRBExist(ctx context.Context, cr *vmv1beta1.VMAgent, rclient c
 	clusterRoleBinding := buildVMAgentClusterRoleBinding(cr)
 	var existsClusterRoleBinding rbacv1.ClusterRoleBinding
 
-	if err := rclient.Get(ctx, types.NamespacedName{Name: clusterRoleBinding.Name, Namespace: cr.Namespace}, &existsClusterRoleBinding); err != nil {
+	if err := rclient.Get(ctx, types.NamespacedName{Name: clusterRoleBinding.Name}, &existsClusterRoleBinding); err != nil {
 		if errors.IsNotFound(err) {
+			// check for possible legacy ClusterRoleBinding and clean it, see https://github.com/VictoriaMetrics/operator/pull/1176
+			var orphanedClusterRoleBinding rbacv1.ClusterRoleBinding
+			err = rclient.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("monitoring:vmagent-cluster-access-%s", cr.Name)}, &orphanedClusterRoleBinding)
+			if err != nil {
+				logger.WithContext(ctx).Error(err, "failed to check legacy ClusterRoleBinding", "vmagent", cr.Name, "namespace", cr.Namespace)
+			}
+			if orphanedClusterRoleBinding.Name != "" {
+				finalize.RemoveFinalizer(ctx, rclient, &orphanedClusterRoleBinding)
+				err = rclient.Delete(ctx, &orphanedClusterRoleBinding)
+				if err != nil {
+					logger.WithContext(ctx).Error(err, "failed to cleanup legacy ClusterRoleBinding", "vmagent", cr.Name, "namespace", cr.Namespace)
+				}
+			}
+
 			return rclient.Create(ctx, clusterRoleBinding)
 		}
 		return fmt.Errorf("cannot get clusterRoleBinding for vmagent: %w", err)
@@ -204,11 +232,13 @@ func ensureVMAgentCRBExist(ctx context.Context, cr *vmv1beta1.VMAgent, rclient c
 func buildVMAgentClusterRoleBinding(cr *vmv1beta1.VMAgent) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:            cr.GetClusterRoleName(),
-			Namespace:       cr.GetNamespace(),
-			Labels:          cr.AllLabels(),
-			Annotations:     cr.AnnotationsFiltered(),
-			Finalizers:      []string{vmv1beta1.FinalizerName},
+			Name:        cr.GetClusterRoleName(),
+			Namespace:   cr.GetNamespace(),
+			Labels:      cr.AllLabels(),
+			Annotations: cr.AnnotationsFiltered(),
+			Finalizers:  []string{vmv1beta1.FinalizerName},
+			// Kubernetes does not allow namespace-scoped resources to own cluster-scoped resources,
+			// use crd instead
 			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Subjects: []rbacv1.Subject{
@@ -229,11 +259,13 @@ func buildVMAgentClusterRoleBinding(cr *vmv1beta1.VMAgent) *rbacv1.ClusterRoleBi
 func buildVMAgentClusterRole(cr *vmv1beta1.VMAgent) *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:            cr.GetClusterRoleName(),
-			Namespace:       cr.GetNamespace(),
-			Labels:          cr.AllLabels(),
-			Annotations:     cr.AnnotationsFiltered(),
-			Finalizers:      []string{vmv1beta1.FinalizerName},
+			Name:        cr.GetClusterRoleName(),
+			Namespace:   cr.GetNamespace(),
+			Labels:      cr.AllLabels(),
+			Annotations: cr.AnnotationsFiltered(),
+			Finalizers:  []string{vmv1beta1.FinalizerName},
+			// Kubernetes does not allow namespace-scoped resources to own cluster-scoped resources,
+			// use crd instead
 			OwnerReferences: cr.AsCRDOwner(),
 		},
 		Rules: clusterWidePolicyRules,