Upgrading Trident Helm installation using private registry fails with RBAC error
Applies to
- NetApp Trident 25.10.0
- Trident Helm installation
- Private Trident image registry
Issue
- Upgrading a Trident Helm installation, using Trident images and Helm chart from a private registry, fails with the following RBAC error:
>> kubectl describe tridentorchestrators.trident.netapp.io trident
Message: Failed to install Trident; err: unable to create RBAC objects while verifying Trident version; err: failed to create the Trident cluster role; failed to create or patch Trident cluster role; could not patch Trident Cluster role; clusterroles.rbac.authorization.k8s.io "trident-controller" is forbidden: user "system:serviceaccount:trident:trident-operator" (groups=["system:serviceaccounts" "system:serviceaccounts:trident" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:{APIGroups:["storage.k8s.io"], Resources:["volumeattachments"], Verbs:["delete"]}{APIGroups:["trident.netapp.io"], Resources:["tridentnoderemediations"], Verbs:["get" "list" "watch" "create" "delete" "update" "patch"]}{APIGroups:["trident.netapp.io"], Resources:["tridentnoderemediations/status"], Verbs:["get" "list" "watch" "create" "delete" "update" "patch"]}{APIGroups:["trident.netapp.io"], Resources:["tridentnoderemediationtemplates"], Verbs:["get" "list" "watch" "create" "delete" "update" "patch"]}{APIGroups:["trident.netapp.io"], Resources:["tridentnoderemediationtemplates/status"], Verbs:["get" "list" "watch" "create" "delete" "update" "patch"]}
- Upgrading the same Trident Helm installation using the default public / online Trident image registry completes successfully