Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39562

creating kubedescheduler instance for KDO 5.1.0 fails with RBAC errors

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.17.0
    • descheduler
    • Important
    • None
    • 1
    • Workloads Sprint 259
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Creating kubedescheduler instance with latest 5.1.0 bits fails with RBAC errors.
          

      Version-Release number of selected component (if applicable):

           [knarra@knarra-thinkpadx1carbon7th Downloads]$ oc get csv -n openshift-kube-descheduler-operator
      NAME                                    DISPLAY                     VERSION   REPLACES                                PHASE
      clusterkubedescheduleroperator.v5.1.0   Kube Descheduler Operator   5.1.0     clusterkubedescheduleroperator.v5.0.1   Succeeded
          

      How reproducible:

          Always
          

      Steps to Reproduce:

          1. Install KDO 5.1.0
          2. Now click ->create Instance -> KubeDescheduler
          3.
          

      Actual results:

          KubeDescheduler instance does not get created and upon checking the operator log below errors are seen.
          E0904 12:58:23.891848       1 target_config_reconciler.go:1044] key failed with : clusterroles.rbac.authorization.k8s.io "openshift-descheduler-operand" is forbidden: user "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler" (groups=["system:serviceaccounts" "system:serviceaccounts:openshift-kube-descheduler-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
      {APIGroups:[""], Resources:["nodes"], Verbs:["get" "watch" "list"]}
      {APIGroups:[""], Resources:["pods/eviction"], Verbs:["create"]}
      {APIGroups:["scheduling.k8s.io"], Resources:["priorityclasses"], Verbs:["get" "watch" "list"]}
      I0904 12:58:23.891932       1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"6e77bc1d-68f1-4b8c-a333-c01c391bd85b", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'ClusterRoleCreateFailed' Failed to create ClusterRole.rbac.authorization.k8s.io/openshift-descheduler-operand: clusterroles.rbac.authorization.k8s.io "openshift-descheduler-operand" is forbidden: user "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler" (groups=["system:serviceaccounts" "system:serviceaccounts:openshift-kube-descheduler-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
      {APIGroups:[""], Resources:["nodes"], Verbs:["get" "watch" "list"]}
      {APIGroups:[""], Resources:["pods/eviction"], Verbs:["create"]}
      {APIGroups:["scheduling.k8s.io"], Resources:["priorityclasses"], Verbs:["get" "watch" "list"]}
          

      Expected results:

          Should be able to create a kubedescheduler instance and no RBAC errors should be reported.
          

      Additional info:

          https://redhat-internal.slack.com/archives/GK58XC2G2/p1725454764072259
          

              jchaloup@redhat.com Jan Chaloupka
              knarra@redhat.com Rama Kasturi Narra
              Rama Kasturi Narra Rama Kasturi Narra
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: