Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41994

[5.0.z] creating kubedescheduler instance for KDO 5.1.0 fails with RBAC errors

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.16.z
    • descheduler
    • Important
    • None
    • 1
    • Workloads Sprint 259, Workloads Sprint 260, Workloads Sprint 261, Workloads Sprint 262
    • 4
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Creating kubedescheduler instance with latest 5.1.0 bits fails with RBAC errors.

      Version-Release number of selected component (if applicable):

           [knarra@knarra-thinkpadx1carbon7th Downloads]$ oc get csv -n openshift-kube-descheduler-operator
NAME                                    DISPLAY                     VERSION   REPLACES                                PHASE
clusterkubedescheduleroperator.v5.1.0   Kube Descheduler Operator   5.1.0     clusterkubedescheduleroperator.v5.0.1   Succeeded

      How reproducible:

          Always

      Steps to Reproduce:

          1. Install KDO 5.1.0
    2. Now click ->create Instance -> KubeDescheduler
    3.

      Actual results:

          KubeDescheduler instance does not get created and upon checking the operator log below errors are seen.
    E0904 12:58:23.891848       1 target_config_reconciler.go:1044] key failed with : clusterroles.rbac.authorization.k8s.io "openshift-descheduler-operand" is forbidden: user "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler" (groups=["system:serviceaccounts" "system:serviceaccounts:openshift-kube-descheduler-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["nodes"], Verbs:["get" "watch" "list"]}
{APIGroups:[""], Resources:["pods/eviction"], Verbs:["create"]}
{APIGroups:["scheduling.k8s.io"], Resources:["priorityclasses"], Verbs:["get" "watch" "list"]}
I0904 12:58:23.891932       1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"6e77bc1d-68f1-4b8c-a333-c01c391bd85b", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'ClusterRoleCreateFailed' Failed to create ClusterRole.rbac.authorization.k8s.io/openshift-descheduler-operand: clusterroles.rbac.authorization.k8s.io "openshift-descheduler-operand" is forbidden: user "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler" (groups=["system:serviceaccounts" "system:serviceaccounts:openshift-kube-descheduler-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["nodes"], Verbs:["get" "watch" "list"]}
{APIGroups:[""], Resources:["pods/eviction"], Verbs:["create"]}
{APIGroups:["scheduling.k8s.io"], Resources:["priorityclasses"], Verbs:["get" "watch" "list"]}

      Expected results:

          Should be able to create a kubedescheduler instance and no RBAC errors should be reported.

      Additional info:

          https://redhat-internal.slack.com/archives/GK58XC2G2/p1725454764072259

              jchaloup@redhat.com Jan Chaloupka
              knarra@redhat.com Rama Kasturi Narra
              Rama Kasturi Narra Rama Kasturi Narra
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: