Comment 0 for bug 1816856

It appears to be that service account called calico-policy-controller in kube-system namespace does not have proper permissions to list (and maybe do other actions after listing) for pods, namespaces and networkpolicies.

juju status: http://paste.ubuntu.com/p/ZMXbYYRVTm/
bundle: http://paste.ubuntu.com/p/N8YvFGQ9VY/

kubectl logs -n kube-system calico-policy-controller-675499888b-6sxsb | grep cannot

http://paste.ubuntu.com/p/c2KMw74rxr/

E0220 19:43:16.246620 1 reflector.go:201] github.com/projectcalico/kube-controllers/pkg/controllers/namespace/namespace_controller.go:151: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:calico-policy-controller" cannot list resource "namespaces" in API group "" at the cluster scope: RBAC: [clusterrole.rbac.authorization.k8s.io "system:basic-user" not found, clusterrole.rbac.authorization.k8s.io "calico-policy-controller" not found, clusterrole.rbac.authorization.k8s.io "system:discovery" not found]

E0220 19:43:16.253464 1 reflector.go:201] github.com/projectcalico/kube-controllers/pkg/controllers/pod/pod_controller.go:201: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:calico-policy-controller" cannot list resource "pods" in API group "" at the cluster scope: RBAC: [clusterrole.rbac.authorization.k8s.io "system:basic-user" not found, clusterrole.rbac.authorization.k8s.io "calico-policy-controller" not found, clusterrole.rbac.authorization.k8s.io "system:discovery" not found]

E0220 19:53:03.880187 1 reflector.go:201] github.com/projectcalico/kube-controllers/pkg/controllers/networkpolicy/policy_controller.go:192: Failed to list *extensions.NetworkPolicy: networkpolicies.extensions is forbidden: User "system:serviceaccount:kube-system:calico-policy-controller" cannot list resource "networkpolicies" in API group "extensions" at the cluster scope