Unable to add watcher: deployments.apps 'managed-master-hibernation-monitor' is forbidden

Article ID:360050580352
1 minute readKnowledge base


You see the following log in the logs of your operations center:

Unable to add watcher: deployments.apps "managed-master-hibernation-monitor" is forbidden: User "system:serviceaccount:cje:cjoc" cannot watch resource "deployments" in API group "apps" in the namespace "cje". Kubernetes events won't be displayed.
the namespace cje may be cloudbees-core, or your chosen namespace.


This managed-master-hibernation-monitor deployment is related to: Optimizing resources with hibernation of managed controllers

In, there were some new rules added to the system:serviceaccount:cje:cjoc role:

- apiGroups: ["apps"]
  resources: ["statefulsets","deployments"]
  verbs: ["create","delete","get","list","patch","update","watch"]

Adding the deployments to the resources here should fix the error, you will need to involve your Kubernetes administration team to make this change.

If you are encountering this error, you are likely managing your installation using the cloudbees-core.yaml instead of helm. If you had migrated to using helm for your upgrades, you should not encounter this error. Please follow the following documentation to migrate, and reach out to support if you have questions:

Tested product/plugin versions

CloudBees CI - Modern Cloud Platforms -