Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54178

CNO Missing servicemonitors and prometheusrules permissions for non-OVN Kubernetes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.19.0
    • 4.15.z, 4.17.z, 4.16.z, 4.18.z
    • HyperShift
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, on instances of Red{nbsp}Hat OpenShift on {ibm-cloud-title} that are based on {hcp}, in non-OVN clusters, the Cluster Network Operator could not patch service monitors and Prometheus rules in the `monitoring.coreos.com` API group. As a consequence, the Cluster Network Operator logs showed permissions errors and "could not apply" messages. With this release, permissions for service monitors and Prometheus rules are added in the Cluster Network Operator for non-OVN clusters. As a result, the Cluster Network Operator logs no longer show permissions errors. (link:https://issues.redhat.com/browse/OCPBUGS-54178[OCPBUGS-54178])
      Show
      * Previously, on instances of Red{nbsp}Hat OpenShift on {ibm-cloud-title} that are based on {hcp}, in non-OVN clusters, the Cluster Network Operator could not patch service monitors and Prometheus rules in the `monitoring.coreos.com` API group. As a consequence, the Cluster Network Operator logs showed permissions errors and "could not apply" messages. With this release, permissions for service monitors and Prometheus rules are added in the Cluster Network Operator for non-OVN clusters. As a result, the Cluster Network Operator logs no longer show permissions errors. (link: https://issues.redhat.com/browse/OCPBUGS-54178 [ OCPBUGS-54178 ])
    • None
    • None
    • None
    • None

      Description of problem:

          The Cluster Network Operator in HyperShift-based ROKS clusters are seeing the following "could not apply" messages in the logs.
```
I0307 16:55:14.238931       1 log.go:245] could not apply (monitoring.coreos.com/v1, Kind=ServiceMonitor) master-cv4sd8t20ikp81ba5l7g/monitor-multus-admission-controller: failed to apply / update (monitoring.coreos.com/v1, Kind=ServiceMonitor) master-cv4sd8t20ikp81ba5l7g/monitor-multus-admission-controller: servicemonitors.monitoring.coreos.com "monitor-multus-admission-controller" is forbidden: User "system:serviceaccount:master-cv4sd8t20ikp81ba5l7g:cluster-network-operator" cannot patch resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "master-cv4sd8t20ikp81ba5l7g": RBAC: clusterrole.rbac.authorization.k8s.io "ibm-privileged-psp-user" not found
I0307 16:55:14.238965       1 log.go:245] Object has ignore-errors annotation set, continuing
I0307 16:55:14.257649       1 log.go:245] could not apply (monitoring.coreos.com/v1, Kind=PrometheusRule) master-cv4sd8t20ikp81ba5l7g/prometheus-k8s-rules: failed to apply / update (monitoring.coreos.com/v1, Kind=PrometheusRule) master-cv4sd8t20ikp81ba5l7g/prometheus-k8s-rules: prometheusrules.monitoring.coreos.com "prometheus-k8s-rules" is forbidden: User "system:serviceaccount:master-cv4sd8t20ikp81ba5l7g:cluster-network-operator" cannot patch resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "master-cv4sd8t20ikp81ba5l7g": RBAC: clusterrole.rbac.authorization.k8s.io "ibm-privileged-psp-user" not found
I0307 16:55:14.257683       1 log.go:245] Object has ignore-errors annotation set, continuing
```
See related fix which never addressed servicemonitors or prometheus rules: https://github.com/openshift/hypershift/pull/2159/files

      Version-Release number of selected component (if applicable):

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Create ROKS v4.18 or earlier cluster (non-OVN).
    2. Check the cluster-network-operator pod logs in the master control plane.

      Actual results:

          The CNO is unable to patch servicemonitors and prometheusrules in API group "monitoring.coreos.com".

      Expected results:

          The CNO should be able to patch servicemonitors and prometheusrules resources in API group "monitoring.coreos.com".

      Additional info:

              evan.reilly Evan Reilly (Inactive)
              evan.reilly Evan Reilly (Inactive)
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: