-
Bug
-
Resolution: Done
-
Critical
-
Logging 5.2
-
False
-
False
-
NEW
-
VERIFIED
-
-
Description of problem:
The ds/fluentd is not created after creating clusterlogging/instance, there are many error messages in CLO:
{"_ts":"2021-07-26T06:56:02.120741286Z","_level":"0","_component":"cluster-logging-operator","_message":"Error reconciling clusterlogging instance","_error":{"msg":"Unable to create or update collection for \"instance\": Failure creating Log Collector SecurityContextConstraints: securitycontextconstraints.security.openshift.io is forbidden: User \"system:serviceaccount:openshift-logging:cluster-logging-operator\" cannot create resource \"securitycontextconstraints\" in API group \"security.openshift.io\" at the cluster scope"}}
I checked the clusterrole, it missed the following rule:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
$ oc get clusterrole cluster-logging.5.2.0-1-855f7d7f77 -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2021-07-26T06:55:09Z" labels: olm.owner: cluster-logging.5.2.0-1 olm.owner.kind: ClusterServiceVersion olm.owner.namespace: openshift-logging operators.coreos.com/cluster-logging-operator.openshift-logging: "" name: cluster-logging.5.2.0-1-855f7d7f77 resourceVersion: "434292" uid: 0dd79aaa-0436-4960-b6a0-4f33e4b61ca8 rules: - apiGroups: - console.openshift.io resources: - consoleexternalloglinks verbs: - '*' - apiGroups: - "" resources: - configmaps verbs: - '*' - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - '*' - apiGroups: - oauth.openshift.io resources: - oauthclients verbs: - '*' - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings verbs: - '*' - apiGroups: - config.openshift.io resources: - proxies verbs: - get - list - watch - apiGroups: - "" resources: - pods - namespaces - services - services/finalizers verbs: - get - list - watch $ oc get clusterrolebinding cluster-logging.5.2.0-1-855f7d7f77 -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2021-07-26T06:55:09Z" labels: olm.owner: cluster-logging.5.2.0-1 olm.owner.kind: ClusterServiceVersion olm.owner.namespace: openshift-logging operators.coreos.com/cluster-logging-operator.openshift-logging: "" name: cluster-logging.5.2.0-1-855f7d7f77 resourceVersion: "434295" uid: 85c50550-c51c-49d2-859e-1b1ec7e5ebee roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-logging.5.2.0-1-855f7d7f77 subjects: - kind: ServiceAccount name: cluster-logging-operator namespace: openshift-logging
Version-Release number of selected component (if applicable):
cluster-logging.5.2.0-1
How reproducible:
Always
Steps to Reproduce:
1. deploy logging 5.2
2. create clusterlogging
3. check ds/fluentd
Actual results:
Expected results:
Additional info: