-
Bug
-
Resolution: Done
-
Critical
-
Logging 6.4.0
-
Quality / Stability / Reliability
-
False
-
-
False
-
NEW
-
NEW
-
Release Note Not Required
-
-
-
Moderate
Description of problem:
After changing the ruleSet in LFME, it raises below error:
status: conditions: - lastTransitionTime: "2025-10-09T01:25:31Z" message: 'networkpolicies.networking.k8s.io "lfme-logfilesmetricexporter" is forbidden: User "system:serviceaccount:openshift-logging:cluster-logging-operator" cannot update resource "networkpolicies" in API group "networking.k8s.io" in the namespace "openshift-logging"' reason: Invalid status: "False" type: Ready
And in CLO's logs:
{"_ts":"2025-10-09T01:25:31.481742735Z","_level":"0","_component":"cluster-logging-operator","_message":"logfilemetricexporter.ReconcileNetworkPolicy","_error":{"msg":"networkpolicies.networking.k8s.io \"lfme-logfilesmetricexporter\" is forbidden: User \"system:serviceaccount:openshift-logging:cluster-logging-operator\" cannot update resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"openshift-logging\""}}
{"_ts":"2025-10-09T01:25:31.481768623Z","_level":"0","_component":"cluster-logging-operator","_message":"logfilemetricexporter-controller returning, error","_error":{"msg":"networkpolicies.networking.k8s.io \"lfme-logfilesmetricexporter\" is forbidden: User \"system:serviceaccount:openshift-logging:cluster-logging-operator\" cannot update resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"openshift-logging\""}}
{"_ts":"2025-10-09T01:25:31.486150027Z","_level":"0","_component":"cluster-logging-operator","_message":"Reconciler error","LogFileMetricExporter":{"name":"instance","namespace":"openshift-logging"},"_error":{"msg":"networkpolicies.networking.k8s.io \"lfme-logfilesmetricexporter\" is forbidden: User \"system:serviceaccount:openshift-logging:cluster-logging-operator\" cannot update resource \"networkpolicies\" in API group \"networking.k8s.io\" in the namespace \"openshift-logging\""},"controller":"logfilemetricexporter","controllerGroup":"logging.openshift.io","controllerKind":"LogFileMetricExporter","name":"instance","namespace":"openshift-logging","reconcileID":"49b68736-4e6d-41ae-97d6-d14f04754dee"}
Version-Release number of selected component (if applicable):
cluster-logging.v6.4.0
How reproducible:
Always
Steps to Reproduce:
1. Deploy LFME with below yaml
apiVersion: logging.openshift.io/v1alpha1 kind: LogFileMetricExporter metadata: name: instance namespace: openshift-logging spec: networkPolicy: ruleSet: AllowAllIngressEgress resources: limits: cpu: 500m memory: 256Mi requests: cpu: 200m memory: 128Mi
2. Wait until all resources are ready, change the networkPolicy.ruleSet to `AllowIngressMetrics`
3. Check LFME's status
Actual results:
CLO can't update networkPolicy when the networkPolicy.ruleSet is changed.
Expected results:
NetworkPolicy should be updated without any error.