-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.13, 4.12, 4.14
-
Important
-
Hypershift Sprint 241, Hypershift Sprint 242
-
2
-
Rejected
-
False
-
Description of problem:
In hypershift hosted cluster, user hits below error:$ oc get useroauthaccesstoken --kubeconfig hypershift-ci-4200.kubeconfig
Error from server (Forbidden): useroauthaccesstokens.oauth.openshift.io is forbidden: User "testuser-1" cannot list resource "useroauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-11-17-164258
How reproducible:
Always
Steps to Reproduce:
1. Prepare a hypershift env 2. Login to the hypershift hosted cluster oc login -u testuser-1 3. As normal user, get useroauthaccesstoken oc get useroauthaccesstoken
Actual results:
Fails with below:Error from server (Forbidden): useroauthaccesstokens.oauth.openshift.io is forbidden: User "testuser-1" cannot list resource "useroauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope
Expected results:
3. Should succeed as works in OCP env.
Additional info:
Checked the hypershift hosted cluster, the clusterrole and clusterrolebinding of name system:openshift:useroauthaccesstoken-manager are missing, while they exist in OCP env. Manually create them in the hypershift hosted cluster, the error will be gone.