Details
-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16.0
-
None
-
No
-
False
-
Description
Description of problem:
The ClusterRole and ClusterRoleBinding for csi-snapshot-controller are currently created in https://github.com/openshift/cluster-csi-snapshot-controller-operator/blob/master/manifests/05_operand_rbac.yaml This manifest is applied by CVO, not by cluster-csi-snapshot-controller-operator. Fabio pointed out one problem with this is that the ClusterRoleBinding in this manifest references a ServiceAccount that is created by the operator later: https://github.com/openshift/cluster-csi-snapshot-controller-operator/blob/master/assets/serviceaccount.yaml So the RBAC permissions in manifests/05_operand_rbac.yaml should be created by cluster-csi-snapshot-controller-operator instead of CVO. This means though that the operator needs the same permissions in manifests/05_operator_clusterrole.yaml so that it can grant them to the operand. 1. Move manifests/05_operand_rbac.yaml to assets/rbac/ and add this manifest to pkg/operator/starter.go 2. Add required permissions to manifests/05_operator_clusterrole.yaml so the operator can create the ClusterRoles for csi-snapshot-controller and csi-snapshot-webhook 3. Remove manifests/06_operator_operand_clusterrolebinding.yaml
Version-Release number of selected component (if applicable):
4.16.0
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
csi-snapshot-controller ClusterRole is created by CVO
Expected results:
csi-snapshot-controller ClusterRole should be created by cluster-csi-snapshot-controller-operator
Additional info: