Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31497

[csi-snapshot-controller-operator] does not create suitable role and roleBinding for csi-snapshot-webhook

XMLWordPrintable

    • Important
    • No
    • False
    • Hide

      None

      Show
      None
    • NA
    • Release Note Not Required
    • In Progress

      Description of problem:

      [csi-snapshot-controller-operator] does not create suitable role and roleBinding for csi-snapshot-webhook    

      Version-Release number of selected component (if applicable):

      $ oc version
      Client Version: 4.14.0-rc.0
      Kustomize Version: v5.0.1
      Server Version: 4.14.0-0.nightly-2024-03-28-004801
      Kubernetes Version: v1.27.11+749fe1d    

      How reproducible:

      Always    

      Steps to Reproduce:

          1. Create an OpenShift cluster on AWS;
          2. Check the csi-snapshot-webhook logs with no errors.

      Actual results:

      In step 2:
      $ oc logs csi-snapshot-webhook-76bf9bd758-cxr7g
      I0328 08:02:58.016020       1 certwatcher.go:129] Updated current TLS certificate
      W0328 08:02:58.029464       1 reflector.go:424] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope
      E0328 08:02:58.029512       1 reflector.go:140] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: Failed to watch *v1.VolumeSnapshotClass: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope
      W0328 08:02:58.888397       1 reflector.go:424] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope

      Expected results:

      In step2 the csi-snapshot-webhook logs should have no cannot list resource errors

      Additional info:

      The issue exist on 4.15 and 4.16 as well, in addition since 4.15+ the webhook needs additional "VolumeGroupSnapshotClass" list permissions
      
      $ oc logs csi-snapshot-webhook-794b7b54d7-b8vl9
      ...
      E0328 12:12:06.509158       1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
      W0328 12:12:50.836582       1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
      ...

            jdobson@redhat.com Jonathan Dobson
            rhn-support-pewang Penghao Wang
            Penghao Wang Penghao Wang
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: