-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
Incidents & Support
-
5
-
False
-
-
False
-
NEW
-
NEW
-
-
-
Log Storage - Sprint 260, Log Storage - Sprint 261, Log Storage - Sprint 262, Log Storage - Sprint 263, Log Storage - Sprint 264, Log Storage - Sprint 265, Log Storage - Sprint 268, Log Storage - Sprint 269, Log Storage - Sprint 270, Log Storage - Sprint 271, Log Storage - Sprint 272, Log Storage - Sprint 273, Logging - Sprint 274, Logging - Sprint 275, Logging - Sprint 276, Logging - Sprint 277, Logging - Sprint 278
Description of problem:
customer that has the following setup: one LokiStack instance on the openshift-logging namespace, and another one on the openshift-network-observability. CU configured both instances with the same name:
k get lokistack -A
NAMESPACE NAME AGE
openshift-logging loki 39d
openshift-network-observability loki 9m1s
When having this set up, it seems like the operator does not add all of the loki-gateway ServiceAccounts as subjects in the loki-gateway-authorizer ClusterRoleBinding:
k get clusterrolebinding loki-gateway-authorizer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2024-07-22T13:46:30Z"
labels:
app.kubernetes.io/component: lokistack-gateway
app.kubernetes.io/created-by: lokistack-controller
app.kubernetes.io/instance: loki
app.kubernetes.io/managed-by: lokistack-controller
app.kubernetes.io/name: lokistack
name: loki-gateway-authorizer
resourceVersion: "3750629363"
uid: 56dd5bf1-0a88-4eb9-9de3-e65bcd397b29
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: loki-gateway-authorizer
subjects:
- kind: ServiceAccount
name: loki-gateway
namespace: openshift-network-observability
However, when the customer uses different names for each instance, it works just fine.
Steps to Reproduce:
1. Create two LokiStack instances with the same name in different namespaces, e.g., openshift-logging and openshift-network-observability.
2. Run kubectl get clusterrolebinding <loki-instance-name>-gateway-authorizer -o yaml and observe which ServiceAccounts are included.
Actual results:
Operator does not add all of the loki-gateway ServiceAccounts as subjects
Additional info:
Here is the results when having two different loki instances names:
❯ k get lokistack -A
NAMESPACE NAME AGE
openshift-logging loki 11d
openshift-network-observability netobserv-loki 30d
There are two different CRBs due to the unique LokiStack names
❯ k get clusterrolebinding loki-gateway-authorizer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2024-07-22T13:46:30Z"
labels:
app.kubernetes.io/component: lokistack-gateway
app.kubernetes.io/created-by: lokistack-controller
app.kubernetes.io/instance: loki
app.kubernetes.io/managed-by: lokistack-controller
app.kubernetes.io/name: lokistack
name: loki-gateway-authorizer
resourceVersion: "3754964242"
uid: 56dd5bf1-0a88-4eb9-9de3-e65bcd397b29
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: loki-gateway-authorizer
subjects:
- kind: ServiceAccount
name: loki-gateway
namespace: openshift-logging
❯ k get clusterrolebinding netobserv-loki-gateway-authorizer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2024-07-23T19:42:30Z"
labels:
app.kubernetes.io/component: lokistack-gateway
app.kubernetes.io/created-by: lokistack-controller
app.kubernetes.io/instance: netobserv-loki
app.kubernetes.io/managed-by: lokistack-controller
app.kubernetes.io/name: lokistack
name: netobserv-loki-gateway-authorizer
resourceVersion: "3754224052"
uid: c8e9a43f-0b78-4437-b91a-6282ea518d31
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: netobserv-loki-gateway-authorizer
subjects:
- kind: ServiceAccount
name: netobserv-loki-gateway
namespace: openshift-network-observability
- is duplicated by
-
-
- Closed
-
- links to
