Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54698

CNO Missing servicemonitors and prometheusrules permissions for non-OVN Kubernetes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.18.0
    • 4.15.z, 4.17.z, 4.16.z, 4.18.z
    • HyperShift
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • In Progress
    • Bug Fix
    • Added missing permissions for servicemonitors and prometheusrules in the Cluster Network Operator (CNO) for non-OVN clusters. This resolves permission errors and addresses "could not apply" messages in the CNO logs.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-54178. The following is the description of the original issue:

      Description of problem:

          The Cluster Network Operator in HyperShift-based ROKS clusters are seeing the following "could not apply" messages in the logs.
```
I0307 16:55:14.238931       1 log.go:245] could not apply (monitoring.coreos.com/v1, Kind=ServiceMonitor) master-cv4sd8t20ikp81ba5l7g/monitor-multus-admission-controller: failed to apply / update (monitoring.coreos.com/v1, Kind=ServiceMonitor) master-cv4sd8t20ikp81ba5l7g/monitor-multus-admission-controller: servicemonitors.monitoring.coreos.com "monitor-multus-admission-controller" is forbidden: User "system:serviceaccount:master-cv4sd8t20ikp81ba5l7g:cluster-network-operator" cannot patch resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "master-cv4sd8t20ikp81ba5l7g": RBAC: clusterrole.rbac.authorization.k8s.io "ibm-privileged-psp-user" not found
I0307 16:55:14.238965       1 log.go:245] Object has ignore-errors annotation set, continuing
I0307 16:55:14.257649       1 log.go:245] could not apply (monitoring.coreos.com/v1, Kind=PrometheusRule) master-cv4sd8t20ikp81ba5l7g/prometheus-k8s-rules: failed to apply / update (monitoring.coreos.com/v1, Kind=PrometheusRule) master-cv4sd8t20ikp81ba5l7g/prometheus-k8s-rules: prometheusrules.monitoring.coreos.com "prometheus-k8s-rules" is forbidden: User "system:serviceaccount:master-cv4sd8t20ikp81ba5l7g:cluster-network-operator" cannot patch resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "master-cv4sd8t20ikp81ba5l7g": RBAC: clusterrole.rbac.authorization.k8s.io "ibm-privileged-psp-user" not found
I0307 16:55:14.257683       1 log.go:245] Object has ignore-errors annotation set, continuing
```
See related fix which never addressed servicemonitors or prometheus rules: https://github.com/openshift/hypershift/pull/2159/files

      Version-Release number of selected component (if applicable):

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Create ROKS v4.18 or earlier cluster (non-OVN).
    2. Check the cluster-network-operator pod logs in the master control plane.

      Actual results:

          The CNO is unable to patch servicemonitors and prometheusrules in API group "monitoring.coreos.com".

      Expected results:

          The CNO should be able to patch servicemonitors and prometheusrules resources in API group "monitoring.coreos.com".

      Additional info:

              evan.reilly Evan Reilly
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              Evan Reilly Evan Reilly
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: