Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14698

Creating an OperatorGroup with "name: cluster" breaks the whole cluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.15
    • 4.13.0, 4.14
    • OLM
    • Important
    • No
    • Err, Farfetch'd 240, Grumpy 241, Happy 242, INKEY$ (OPRUN 243)
    • 5
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Before this update, if you created an Operator group with same name as a previously existing cluster role, Operator Lifecycle Manager (OLM) would overwrite the cluster roles. With this fix, OLM generates a unique cluster role name for every Operator group by using the following syntax:

      .Naming syntax
      +
      [source,text]
      ----
      olm.og.<operator_group_name>.<admin_edit_or_view>-<hash_value>
      ----

      For more information, see xref:../operators/understanding/olm/olm-understanding-operatorgroups.adoc#olm-operatorgroups-rbac_olm-understanding-operatorgroups[Operator groups]. (link:https://issues.redhat.com/browse/OCPBUGS-14698[*OCPBUGS-14698*])
      Show
      * Before this update, if you created an Operator group with same name as a previously existing cluster role, Operator Lifecycle Manager (OLM) would overwrite the cluster roles. With this fix, OLM generates a unique cluster role name for every Operator group by using the following syntax: .Naming syntax + [source,text] ---- olm.og.<operator_group_name>.<admin_edit_or_view>-<hash_value> ---- For more information, see xref:../operators/understanding/olm/olm-understanding-operatorgroups.adoc#olm-operatorgroups-rbac_olm-understanding-operatorgroups[Operator groups]. (link: https://issues.redhat.com/browse/OCPBUGS-14698 [* OCPBUGS-14698 *])
    • Bug Fix
    • Done

      Description of problem:

      Creating an OperatorGroup resource having "name: cluster" causes major issues and we can't login to the cluster anymore.

After this command all "oc" commands fail including "oc login...". The console/oauth endpoint showed:
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request.","state":"c72af27d"}

Notes:
- Restarting the cluster doesn't solve the problem, it's a persistent.
- Reproduced with OpenShift 4.12.12 and 4.13.0 in different environments (ROSA, CRC...)
- Using a different name for the OperatorGroup is a simple workaround. The name "cluster" seems to cause the problem.
- It doesn't matter what namespace the OperatorGroup is created in or how the "spec" looks like

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Repeatedly

      Steps to Reproduce:

      Steps to reproduce - by logged in as cluster-admin: 
$ oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: cluster
spec: {}
EOF

      Actual results:

       

      Expected results:

       

      Additional info:

      The root cause seems to be that OLM overwrites the "cluster-admin" role

            tshort@redhat.com Todd Short
            bszeti@redhat.com Balazs Szeti
            Jian Zhang Jian Zhang
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: