Hello. We have noticed in our audit logs that Canal/Calico tried to create a calico Tiers object (

<http://tiers.crd.projectcalico.org|tiers.crd.projectcalico.org>

) with

system:serviceaccount:kube-system:canal

service account, but failed because the role attached to this service account lacks the permission. Has this happened to anyone else? Is this normal behavior?