Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35092

ValidatingAdmissionPolicy errors when enabling techpreview

XMLWordPrintable

    • Low
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When we enable techpreview we see ValidatingAdmissionPolicy errors in the MCDs


0607 12:11:34.471802    2511 upgrade_monitor.go:265] Error applying MCN status: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim
E0607 12:11:34.471821    2511 pinned_image_set.go:223] failed to update status: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim
E0607 12:11:34.485756    2511 upgrade_monitor.go:265] Error applying MCN status: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim
E0607 12:11:34.485770    2511 pinned_image_set.go:589] Failed to updated machine config node: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim
E0607 12:11:34.500048    2511 upgrade_monitor.go:265] Error applying MCN status: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim

      Version-Release number of selected component (if applicable):

      Disconnected baremetal cluster, using flexy-install template
private-templates/functionality-testing/aos-4_17/upi-on-baremetal/versioned-installer-aws-disconnected

NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.17.0-0.nightly-2024-06-06-061523   True        False         5h17m   Cluster version is 4.17.0-0.nightly-2024-06-06-061523

      How reproducible:

      One out of one, but after investigating it it looks like intermittent

      Steps to Reproduce:

      1. Enable techpreview

$ oc patch featuregate cluster --type=merge -p '{"spec":{"featureSet": "TechPreviewNoUpgrade"}}'

      Actual results:

      MCD  pods start spamming this error

E0607 12:57:53.105875    2511 upgrade_monitor.go:265] Error applying MCN status: machineconfignodes.machineconfiguration.openshift.io "ip-10-0-54-123" is forbidden: ValidatingAdmissionPolicy 'mcn-guards' with binding 'mcn-guards-binding' denied request: this user must have a "authentication.kubernetes.io/node-name" claim

      Expected results:

      No errors should be spammed in MCDs

      Additional info:

      Slack conversation in: https://redhat-internal.slack.com/archives/C02CZNQHGN8/p1717764899536409

            team-mco Team MCO
            sregidor@redhat.com Sergio Regidor de la Rosa
            Sergio Regidor de la Rosa Sergio Regidor de la Rosa
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: