-
Bug
-
Resolution: Not a Bug
-
Normal
-
None
-
4.15.z
Description of problem:
In HOSTEDCP-1344 additional permissions were added to the control-plane-pki-operator role https://github.com/openshift/hypershift/blob/2cad0e5dbc053cd09472f77c3186fbddd265a188/control-plane-operator/controllers/hostedcontrolplane/pkioperator/reconcile.go#L133-L183 however, this role is created/reconciled by the control-plane-operator (CPO) and Kubernetes has restrictions on the roles that an entity can create such that a role can only be created if:
- You already have all the permissions contained in the role, at the same scope as the object being modified (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role).
- You are granted explicit permission to perform the escalate verb on the roles or clusterroles resource in the rbac.authorization.k8s.io API group.
So, the control-plane-operator role also needs the additional permissions added to the control-plane-pki-operator role OR it needs the ability to perform the escalate verb on the roles.
Version-Release number of selected component (if applicable):
4.15.0-0.nightly-2024-02-13-100737
How reproducible:
100%
Steps to Reproduce:
1. Attempt to install a ROSA HCP cluster (though in practice any HyperShift cluster should run into this as long as the hostedcontrol plane does not have PKI disabled via the annotation: "hypershift.openshift.io/disable-pki-reconciliation")
Actual results:
The control-plane-operator spins, unable to complete the reconcile of PKI with the following log:
{"level":"error","ts":"2024-02-13T20:06:41Z","msg":"Reconciler error","controller":"hostedcontrolplane","controllerGroup":"hypershift.openshift.io","controllerKind":"HostedControlPlane","HostedControlPlane":{"name":"mohit-252v3","namespace":"ocm-staging-29ckpdom6thbbp7fi2a25ld6bfalsie7-mohit-252v3"},"namespace":"ocm-staging-29ckpdom6thbbp7fi2a25ld6bfalsie7-mohit-252v3","name":"mohit-252v3","reconcileID":"16dabac8-05ae-472f-990f-1993f6f76fcc","error":"failed to update control plane: failed to reconcile control plane pki operator: failed to reconcile control plane pki operator role: roles.rbac.authorization.k8s.io \"control-plane-pki-operator\" is forbidden: user \"system:serviceaccount:ocm-staging-29ckpdom6thbbp7fi2a25ld6bfalsie7-mohit-252v3:control-plane-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:ocm-staging-29ckpdom6thbbp7fi2a25ld6bfalsie7-mohit-252v3\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"certificates.hypershift.openshift.io\"], Resources:[\"certificaterevocationrequests\"], Verbs:[\"get\" \"list\" \"watch\"]}\n{APIGroups:[\"certificates.hypershift.openshift.io\"], Resources:[\"certificaterevocationrequests/status\"], Verbs:[\"patch\"]}\n{APIGroups:[\"certificates.hypershift.openshift.io\"], Resources:[\"certificatesigningrequestapprovals\"], Verbs:[\"get\" \"list\" \"watch\"]}","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/hypershift/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/hypershift/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/hypershift/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227"}
Expected results:
CPO is able to create this control-plane-pki-operator role and finish rolling out the control plane.
Additional info:
