Keda v2.15.1 cannot list secrets within the keda namespace

[jdinsel-xealth]

If the permissions.operator.restrict.secret value is set to true, the minimal-rbac.yaml will not have permissions to read the secret within the release namespace.

charts/keda/templates/manager/minimal-rbac.yaml

Lines 30 to 37 in 1373262

	- apiGroups:
	- ""
	resources:
	- secrets
	verbs:
	- create
	- update
	{{- end }}

Expected Behavior

It should be properly configured to read the secret created within its namespace.

Actual Behavior

At runtime, the keda-operator logs:

1 reflector.go:147] k8s.io/client-go/informers/factory.go:159: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is 
forbidden: User "system:serviceaccount:keda:keda-operator" cannot list resource "secrets" in API group "" in the 
namespace "keda"

Steps to Reproduce the Problem

1. Set the values for v2.15.1 to define permissions.operator.restrict.secret to true
2. Deploy the helm chart to the cluster
3. Tail the logs for errors

Specifications

• KEDA Version: v2.15.1
• Platform & Version: AWS EKS v1.30
• Kubernetes Version: v1.30

Note that an unreleased pull request added more permissions to list and watch. When will this be released?

https://github.com/kedacore/charts/blob/main/keda/templates/manager/minimal-rbac.yaml#L37-L40

[joebowbeer]

It looks like #625 caused a regression

To be clear, the informer only needs list/watch access, not read (get) access to secrets.

See #605 and kedacore/keda-docs#1307 for previous discussion about how to restrict access to secrets, which I think now (after #625) probably needs an update

On slack: https://kubernetes.slack.com/archives/C01JGDP8MB8/p1726170644218529

[jdinsel-xealth]

This issue is fixed with the release of v2.15.2.