-
Bug
-
Resolution: Not a Bug
-
Blocker
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
None
-
None
-
NetObserv - Sprint 273
-
None
-
None
-
None
Description of problem:
Multi-tenancy with Loki fails with console-plugin PF4 build on 4.14
Steps to Reproduce:
1. Deploy 1.9 2. Run test case https://github.com/openshift/openshift-tests-private/blob/release-4.14/test/extended/netobserv/test_flowcollector.go#L516 3.
Actual results:
Jun 17 16:37:36.222: INFO: Loki query is {app="netobserv-flowcollector", SrcK8S_Namespace="testuser-0-r1j00al8-server", DstK8S_Namespace="testuser-0-r1j00al8-client", FlowDirection="0", S}
Jun 17 16:38:06.222: INFO: https://lokistack-e2e-test-netobserv-kftlh.apps.memodi-414ovn.qe.devcluster.openshift.com/api/logs/v1/network/loki/api/v1/query_range?direction=BACKWARD&end=1750
Jun 17 16:38:06.424: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 5
Jun 17 16:38:06.483: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 4
Jun 17 16:38:06.593: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 3
Jun 17 16:38:06.643: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 2
Jun 17 16:38:06.690: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 1
Jun 17 16:38:06.743: INFO: Error response from server: {"error":"You don't have permission to access this tenant","errorType":"observatorium-api","status":"error"}
(<nil>) attempts remaining: 0
Jun 17 16:38:06.743: INFO:
got error run out of attempts while querying the server when getting network logs for query: {app="netobserv-flowcollector", SrcK8S_Namespace="testuser-0-r1j00al8-server", DstK8S_Namespac}
Expected results:
When user added to netobserv-user-reader clusterrolebinding, user should be able to view flowlogs for the namespace it owns.
$ oc get clusterrolebinding/netobserv-user-reader -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"netobserv-user-reader"},"roleRef":{"apiGroup":"rbac.authorization.k8s.i}
creationTimestamp: "2025-06-17T20:36:30Z"
name: netobserv-user-reader
resourceVersion: "179657"
uid: 21a810f1-c23a-455b-b418-bc76ba62f074
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: netobserv-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: testuser-0-r1j00al8
- apiGroup: rbac.authorization.k8s.io
kind: User
name: testuser-0
This isn't the issue with 1.8.1 where test passes successfully: https://jenkins-csb-openshift-qe-mastern.dno.corp.redhat.com/job/ocp-common/job/ginkgo-test/293052/