-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.18.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
Done
-
Release Note Not Required
-
N/A
-
None
-
None
-
None
-
None
This is a clone of issue OCPBUGS-52568. The following is the description of the original issue:
—
Description of problem:
RBAC forbidden errors are visible in the Kubernetes API Audit logs.
oc adm node-logs --path=kube-apiserver/audit.log --raw -l node-role.kubernetes.io/master= 2>1 | jq -r 'select(.annotations["authorization.k8s.io/decision"] == "forbid" and .user.username=="system:serviceaccount:openshift-insights:operator") | .responseStatus.message' dnsrecords.ingress.operator.openshift.io "default" is forbidden: User "system:serviceaccount:openshift-insights:gather" cannot get resource "dnsrecords" in API group "ingress.operator.openshift.io" in the namespace "openshift-ingress-operator"
Note: Although one error is displayed here, the same error is shown for the operatorpkis.network.operator.openshift.io ovn, signer, and network-node-identity resources.
The same forbidden errors are visible in the insights-operator pod.
oc logs insights-operator-f6cff6f6d-fzzzx -n openshift-insights | grep 'gather_cluster_operators.go' | grep forbidden I0306 22:06:40.504258 1 gather_cluster_operators.go:184] Unable to get dnsrecords.ingress.operator.openshift.io resource due to: dnsrecords.ingress.operator.openshift.io "default" is forbidden: User "system:serviceaccount:openshift-insights:gather" cannot get resource "dnsrecords" in API group "ingress.operator.openshift.io" in the namespace "openshift-ingress-operator"
Version-Release number of selected component (if applicable):
Tested in 4.18.3
How reproducible:
Easily
Steps to Reproduce:
This issue should be present by default in OpenShift 4.18 clusters with insights active.
However, the following command can be used to reproduce the error on-demand.
oc -n openshift-insights exec <insights-operator-pod> – insights-operator gather --v 5 --config=/etc/insights-operator/server.yaml
- clones
-
OCPBUGS-52568 Forbidden errors during ClusterOperators collection
-
- Verified
-
- depends on
-
OCPBUGS-60227 [release-4.19] Forbidden errors during ClusterOperators collection
-
- Closed
-
- is blocked by
-
OCPBUGS-60227 [release-4.19] Forbidden errors during ClusterOperators collection
-
- Closed
-
- links to