-
Bug
-
Resolution: Done-Errata
-
Major
-
4.13.z, 4.12.z, 4.14.z, 4.15.z, 4.16
This is a clone of issue OCPBUGS-31497. The following is the description of the original issue:
—
Description of problem:
[csi-snapshot-controller-operator] does not create suitable role and roleBinding for csi-snapshot-webhook
Version-Release number of selected component (if applicable):
$ oc version Client Version: 4.14.0-rc.0 Kustomize Version: v5.0.1 Server Version: 4.14.0-0.nightly-2024-03-28-004801 Kubernetes Version: v1.27.11+749fe1d
How reproducible:
Always
Steps to Reproduce:
1. Create an OpenShift cluster on AWS;
2. Check the csi-snapshot-webhook logs with no errors.
Actual results:
In step 2: $ oc logs csi-snapshot-webhook-76bf9bd758-cxr7g I0328 08:02:58.016020 1 certwatcher.go:129] Updated current TLS certificate W0328 08:02:58.029464 1 reflector.go:424] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope E0328 08:02:58.029512 1 reflector.go:140] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: Failed to watch *v1.VolumeSnapshotClass: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope W0328 08:02:58.888397 1 reflector.go:424] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:117: failed to list *v1.VolumeSnapshotClass: volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope
Expected results:
In step2 the csi-snapshot-webhook logs should have no cannot list resource errors
Additional info:
The issue exist on 4.15 and 4.16 as well, in addition since 4.15+ the webhook needs additional "VolumeGroupSnapshotClass" list permissions $ oc logs csi-snapshot-webhook-794b7b54d7-b8vl9 ... E0328 12:12:06.509158 1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope W0328 12:12:50.836582 1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:default" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope ...
- blocks
-
-
- Closed
-
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- links to
-
RHBA-2024:1887
OpenShift Container Platform 4.15.z bug fix update