Description
After upgrading the keda Helm chart from 2.17.2 to 2.20.1, the keda-operator pod logs the following error shortly after startup:
event.go:359 "Server rejected event (will not retry!)" err="events is forbidden: User \"system:serviceaccount:keda:keda-operator\" cannot create resource \"events\" in API group \"\" in the namespace \"keda\"" event=...
The denial is genuine: the rendered keda-operator ClusterRole only grants the events resource on the events.k8s.io API group:
- apiGroups: [events.k8s.io]
resources: [events]
verbs: [create, patch]
There is no rule granting events on the core ("") API group.
Why this fails
This is the trap described in kubernetes/kubernetes#94857: client-go's event broadcaster still writes events to the legacy core "" API group even when configured for events.k8s.io. Granting only the new group is insufficient.
The upgrade notes for 2.20.0 (keda#7781) state that the bundled chart includes the updated RBAC, but the chart only added events.k8s.io — the core group entry appears to have been dropped rather than retained.
Impact
Cosmetic — only K8s Event objects are lost, so kubectl describe scaledobject shows fewer events than it should. Scaling itself is unaffected.
Reproduction
- Install chart
keda-2.20.1 with default values.
- Check
kubectl get clusterrole keda-operator -o json | jq '.rules[] | select(.resources[]? == "events")' — only events.k8s.io is granted.
- Watch
kubectl -n keda logs deploy/keda-operator | grep "events is forbidden".
Suggested fix
Restore the core "" API group alongside events.k8s.io in the operator ClusterRole rule:
- apiGroups: ["", "events.k8s.io"]
resources: [events]
verbs: [create, patch]
Workaround
Sidecar ClusterRole + ClusterRoleBinding granting create,patch on events in apiGroups: [""] to the keda-operator SA. Confirmed to resolve the denial; KEDA events (ScaledObjectReady, KEDAScalersStarted, etc.) start landing again immediately.
Versions
- Chart:
keda-2.20.1
- Operator image:
kedacore/keda:2.20.1
- Kubernetes: EKS
v1.35.5-eks-0247562
Description
After upgrading the
kedaHelm chart from 2.17.2 to 2.20.1, the keda-operator pod logs the following error shortly after startup:The denial is genuine: the rendered
keda-operatorClusterRole only grants theeventsresource on theevents.k8s.ioAPI group:There is no rule granting
eventson the core ("") API group.Why this fails
This is the trap described in kubernetes/kubernetes#94857: client-go's event broadcaster still writes events to the legacy core
""API group even when configured forevents.k8s.io. Granting only the new group is insufficient.The upgrade notes for 2.20.0 (keda#7781) state that the bundled chart includes the updated RBAC, but the chart only added
events.k8s.io— the core group entry appears to have been dropped rather than retained.Impact
Cosmetic — only K8s Event objects are lost, so
kubectl describe scaledobjectshows fewer events than it should. Scaling itself is unaffected.Reproduction
keda-2.20.1with default values.kubectl get clusterrole keda-operator -o json | jq '.rules[] | select(.resources[]? == "events")'— onlyevents.k8s.iois granted.kubectl -n keda logs deploy/keda-operator | grep "events is forbidden".Suggested fix
Restore the core
""API group alongsideevents.k8s.ioin the operator ClusterRole rule:Workaround
Sidecar
ClusterRole+ClusterRoleBindinggrantingcreate,patchoneventsinapiGroups: [""]to thekeda-operatorSA. Confirmed to resolve the denial; KEDA events (ScaledObjectReady,KEDAScalersStarted, etc.) start landing again immediately.Versions
keda-2.20.1kedacore/keda:2.20.1v1.35.5-eks-0247562