Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.14.0
Affects Version/s: 4.14
Component/s: Cloud Credential Operator
Labels:
- hive-qe

Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

CCO's ServiceAccount cannot list ConfigMaps at the cluster scope.

Steps to Reproduce:

1. Install an OCP cluster (4.14.0-0.nightly-2023-07-17-215017, CCO commit id = 0c80cc35f6ee4b45016050b3e5a8710a8ed4dd81) with default configuration (CCO in default mode)

2. Create a dummy CredentialsRequest as follows:
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: test-cr
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - ec2:CreateTags
      effect: Allow
      resource: '*'
    stsIAMRoleARN: whatever
  secretRef:
    name: test-secret
    namespace: default
  serviceAccountNames:
  - default 

3. Check CCO Pod logs:
time="2023-07-18T10:02:45Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:02:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-cr
time="2023-07-18T10:02:45Z" level=info msg="adding finalizer: cloudcredential.openshift.io/deprovision" controller=credreq cr=openshift-cloud-credential-operator/test-cr secret=default/test-secret
time="2023-07-18T10:02:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-cr
time="2023-07-18T10:02:45Z" level=info msg="stsFeatureGateEnabled: false" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-18T10:02:45Z" level=info msg="stsDetected: false" actuator=aws cr=openshift-cloud-credential-operator/test-cr
time="2023-07-18T10:02:45Z" level=info msg="clusteroperator status updated" controller=status
time="2023-07-18T10:02:45Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:02:45Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:02:45Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:02:45Z" level=info msg="reconciling clusteroperator status"
W0718 10:02:45.352434       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:02:45.352460       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:02:46.512738       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:02:46.512763       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:02:48.859931       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:02:48.859957       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:02:53.514713       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:02:53.514798       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:03:03.042040       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:03:03.042068       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:03:25.023729       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:03:25.023758       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
time="2023-07-18T10:04:10Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-07-18T10:04:10Z" level=info msg="reconcile complete" controller=metrics elapsed=4.470475ms
W0718 10:04:11.033286       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:04:11.033311       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:04:42.316200       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:04:42.316223       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0718 10:05:40.852983       1 reflector.go:533] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0718 10:05:40.853008       1 reflector.go:148] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-07-18T10:06:10Z" level=info msg="reconcile complete" controller=metrics elapsed=3.531182ms
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
time="2023-07-18T10:06:10Z" level=info msg="reconciling clusteroperator status"
...

causes

OCPBUGS-16366 [AWS] secret "capa-manager-bootstrap-credentials" not found

Closed

is duplicated by

OCPBUGS-16386 Pods fail to come online because of issues in Cloud credential operator

Closed

links to

openshift/cloud-credential-operator#572: OCPBUGS-16313: manifests: allow list/watch globally on our config configmap

openshift/cloud-credential-operator#575: OCPBUGS-16313: pkg/operator: correctly fetch CA for AWS minter

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates