Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32026

[Azure] Permissions required when migrating an OpenShift Cluster to Azure AD Workload Identity to apply the Azure Pod Identity webhook configuration.

XMLWordPrintable

    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Description of problem:

          Migrate an OpenShift Cluster to Azure AD Workload Identity, it is not have sufficient permissions to apply the Azure Pod Identity webhook configuration.

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

         Always

      Steps to Reproduce:

          1. According to the steps provided in the documentation: https://github.com/openshift/cloud-credential-operator/blob/master/docs/azure_workload_identity.md#steps-to-in-place-migrate-an-openshift-cluster-to-azure-ad-workload-identity     
    2. For step10. Failed to apply the azure pod identity webhook configuration.

      Actual results:

      For step10:
[hmx@fedora CCO]$ oc replace -f ./CCO-456/output_dir/manifests/azure-ad-pod-identity-webhook-config.yaml
 Error from server (NotFound): error when replacing "./CCO-456/output_dir/manifests/azure-ad-pod-identity-webhook-config.yaml": secrets "azure-credentials" not found
   
 [hmx@fedora CCO]$ oc get po -n openshift-cloud-credential-operator  NAME                                         READY   STATUS    RESTARTS   AGE cloud-credential-operator-594bf555b4-6srcq   2/2     Running   0          3h32m 

[hmx@fedora CCO]$ oc logs cloud-credential-operator-594bf555b4-6srcq -n openshift-cloud-credential-operator
Defaulted container "kube-rbac-proxy" out of: kube-rbac-proxy, cloud-credential-operator
Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components
I0410 06:41:25.490507       1 kube-rbac-proxy.go:285] Valid token audiences: 
I0410 06:41:25.490752       1 kube-rbac-proxy.go:399] Reading certificate files
I0410 06:41:25.491607       1 kube-rbac-proxy.go:447] Starting TCP socket on 0.0.0.0:8443
I0410 06:41:25.492241       1 kube-rbac-proxy.go:454] Listening securely on 0.0.0.0:8443
E0410 06:41:52.996659       1 webhook.go:154] Failed to make webhook authenticator request: Unauthorized
E0410 06:41:52.997568       1 auth.go:47] Unable to authenticate the request due to an error: Unauthorized
E0410 06:42:15.871706       1 webhook.go:154] Failed to make webhook authenticator request: Unauthorized
E0410 06:42:15.871754       1 auth.go:47] Unable to authenticate the request due to an error: Unauthorized

      Expected results:

          Apply the azure pod identity webhook configuration successfully.

      Additional info:

            jstuever@redhat.com Jeremiah Stuever
            mihuang@redhat.com Mingxia Huang
            Mingxia Huang Mingxia Huang
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: