-
Bug
-
Resolution: Done
-
Major
-
MCE 2.4.0
-
False
-
-
False
-
-
-
Important
-
No
Description of problem:
The kube-rbac-proxy container which is used to emit the hypershift-addon-agent's prometheus metrics in hypershift-addon has the following auth error.
E0829 12:56:45.313097 1 webhook.go:199] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-agent-addon:hypershift-addon-agent-sa" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope E0829 12:56:45.313124 1 proxy.go:96] Authorization error (user=system:serviceaccount:openshift-monitoring:prometheus-k8s, verb=get, resource=, subresource=): subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:open-cluster-management-agent-addon:hypershift-addon-agent-sa" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope I0829 12:57:09.508947 1 round_trippers.go:443] POST https://172.30.0.1:443/apis/authentication.k8s.io/v1/tokenreviews 201 Created in 5 milliseconds I0829 12:57:09.510862 1 round_trippers.go:443] POST https://172.30.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews 403 Forbidden in 1 milliseconds
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
- Install MCE or ACM
- The hypershift addon should be automatically enabled for local-cluster
- Just look at the kube-rbac-proxy container log in the hypershift-addon-agent pod in open-cluster-management-agent-addon namespace to see the errors.
Actual results:
You see the RBAC errors
Expected results:
You should not see the RBAC errors