Uploaded image for project: 'Cluster Observability Operator'
  1. Cluster Observability Operator
  2. COO-300

Fine grained access roles created by UIPlugin are not reconciled by COO on deletion

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • 0.4.0, 0.3.2
    • logging-uiplugin
    • None
    • 3
    • MON Sprint 260
    • None

      Description:
      Currently, when we provision the UIPlugin CR the operator creates 3 cluster roles cluster-logging-audit-view, cluster-logging-infrastructure-view and cluster-logging-application-view which are required under the fine grained logs access feature for Loki. If a clusterrole is deleted manually, the operator does not reconcile the deleted role. 

      UIPlugin CR:

      apiVersion: observability.openshift.io/v1alpha1
      kind: UIPlugin
      metadata:
        name: logging
      spec:
        logging:
          logsLimit: 10
          lokiStack:
            name: lokistack-dev
          timeout: 6m
        type: Logging
      status:
        conditions:
          - lastTransitionTime: '2024-09-02T06:42:22Z'
            message: Plugin reconciled successfully
            observedGeneration: 1
            reason: UIPluginReconciled
            status: 'True'
            type: Reconciled
          - lastTransitionTime: '2024-09-02T06:42:22Z'
            message: ''
            observedGeneration: 1
            reason: UIPluginAvailable
            status: 'True'
            type: Available
      
      $ oc get clusterrole | grep cluster-logging
      cluster-logging-application-view                                                       2024-09-02T06:42:21Z
      cluster-logging-audit-view                                                             2024-09-02T06:42:22Z
      cluster-logging-infrastructure-view                                                    2024-09-02T06:42:22Z
      $ oc delete clusterrole cluster-logging-application-view 
      clusterrole.rbac.authorization.k8s.io "cluster-logging-application-view" deleted

      Check after sometime, deleted cluster role is unavailable.

      $ oc get clusterrole | grep cluster-logging
      cluster-logging-audit-view                                                             2024-09-02T06:42:22Z
      cluster-logging-infrastructure-view                                                    2024-09-02T06:42:22Z
      cluster-logging.v6.0.0-9DbNYRH9zEMq8oztRE0nvzAeX4i6FKQ3hgLLfM                          2024-09-02T06:37:03Z

      Steps to reproduce:
      1) Deploy COO and provision a UI plugin manifest.
      2) Validate that cluster-logging-audit-view, cluster-logging-infrastructure-view and cluster-logging-application-view are created.
      3) Delete a cluster role manually from the above list
      4) Observe the cluster role status

      How reproducible: always

      Expected Result: COO should reconcile the deleted role

      Actual Result: COO does not reconcile the deleted role

      Additional Info:

      $ oc get csv
      NAME                                   DISPLAY                          VERSION   REPLACES                               PHASE
      cluster-logging.v6.0.0                 Red Hat OpenShift Logging        6.0.0                                            Succeeded
      cluster-observability-operator.0.3.2   Cluster Observability Operator   0.3.2     cluster-observability-operator.0.2.0   Succeeded
      loki-operator.v6.0.0                   Loki Operator                    6.0.0                                            Succeeded

              prasriva@redhat.com Pranshu Srivastava
              rhn-support-kbharti Kabir Bharti
              Simon Pasquier
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: