Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60227

[release-4.19] Forbidden errors during ClusterOperators collection

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.18.z
    • Insights Operator
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • In Progress
    • Release Note Not Required
    • N/A
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-52568. The following is the description of the original issue:

      Description of problem:

      RBAC forbidden errors are visible in the Kubernetes API Audit logs.

      oc adm node-logs --path=kube-apiserver/audit.log --raw -l node-role.kubernetes.io/master= 2>1 | jq -r 'select(.annotations["authorization.k8s.io/decision"] == "forbid" and .user.username=="system:serviceaccount:openshift-insights:operator") | .responseStatus.message' 
      
      dnsrecords.ingress.operator.openshift.io "default" is forbidden: User "system:serviceaccount:openshift-insights:gather" cannot get resource "dnsrecords" in API group "ingress.operator.openshift.io" in the namespace "openshift-ingress-operator"

      Note: Although one error is displayed here, the same error is shown for the operatorpkis.network.operator.openshift.io ovn, signer, and network-node-identity resources.

      The same forbidden errors are visible in the insights-operator pod.

      oc logs insights-operator-f6cff6f6d-fzzzx -n openshift-insights | grep 'gather_cluster_operators.go' | grep forbidden 
      
      I0306 22:06:40.504258 1 gather_cluster_operators.go:184] Unable to get dnsrecords.ingress.operator.openshift.io resource due to: dnsrecords.ingress.operator.openshift.io "default" is forbidden: User "system:serviceaccount:openshift-insights:gather" cannot get resource "dnsrecords" in API group "ingress.operator.openshift.io" in the namespace "openshift-ingress-operator"

      Version-Release number of selected component (if applicable):

      Tested in 4.18.3    

      How reproducible:

      Easily    

      Steps to Reproduce:

      This issue should be present by default in OpenShift 4.18 clusters with insights active.

      However, the following command can be used to reproduce the error on-demand.

      oc -n openshift-insights exec <insights-operator-pod> – insights-operator gather --v 5 --config=/etc/insights-operator/server.yaml 

              opokorny@redhat.com Ondrej Pokorny
              rhn-support-cuthayak Clark Uthayakumar
              None
              None
              Baiyang Zhou Baiyang Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: