-
Bug
-
Resolution: Unresolved
-
Normal
-
4.16.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
In Progress
-
Release Note Not Required
-
None
-
None
-
None
-
None
-
None
This is a clone of issue OCPBUGS-60939. The following is the description of the original issue:
—
Description of problem:
There are some forbidden errors appearing in the IO pod. We need to add the required permissions for these resources to avoid this kind of log.
Version-Release number of selected component (if applicable):
How reproducible:
View the IO pod logs, it would naturally exist this kind of forbidden error logs.
Steps to Reproduce:
1. View IO pod logs via oc logs <IO-pod> | grep forbidden
Actual results:
Current IO logs still have the following errors: W0827 07:27:44.647471 1 builder.go:272] unable to get owner reference (falling back to namespace): replicasets.apps "insights-operator-65774dc9b4" is forbidden: User "system:serviceaccount:openshift-insights:operator" cannot get resource "replicasets" in API group "apps" in the namespace "openshift-insights" E0827 07:27:45.173784 1 event.go:359] "Server rejected event (will not retry!)" err="events is forbidden: User \"system:serviceaccount:openshift-insights:operator\" cannot create resource \"events\" in API group \"\" in the namespace \"openshift-insights\"" event="&Event{ObjectMeta:{openshift-insights.185f8f0ce0d8649b openshift-insights 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},InvolvedObject:ObjectReference{Kind:Namespace,Namespace:openshift-insights,Name:openshift-insights,UID:,APIVersion:v1,ResourceVersion:,FieldPath:,},Reason:FeatureGatesInitialized,Message:FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{\"AWSClusterHostedDNS\", \"AWSClusterHostedDNSInstall\", \"AWSDedicatedHosts\", \"AWSServiceLBNetworkSecurityGroup\", \"AdditionalRoutingCapabilities\", \"AdminNetworkPolicy\", \"AlibabaPlatform\", \"AutomatedEtcdBackup\", \"AzureClusterHostedDNSInstall\", \"AzureDedicatedHosts\", \"AzureMultiDisk\", \"AzureWorkloadIdentity\", \"BootcNodeManagement\", \"BuildCSIVolumes\", \"CPMSMachineNamePrefix\", \"ClusterAPIInstallIBMCloud\", \"ClusterMonitoringConfig\", \"ConsolePluginContentSecurityPolicy\", \"DNSNameResolver\", \"DualReplica\", \"DyanmicServiceEndpointIBMCloud\", \"DynamicResourceAllocation\", \"EtcdBackendQuota\", \"Example\", \"ExternalOIDC\", \"ExternalOIDCWithUIDAndExtraClaimMappings\", \"GCPClusterHostedDNS\", \"GCPClusterHostedDNSInstall\", \"GCPCustomAPIEndpoints\", \"GCPCustomAPIEndpointsInstall\", \"GatewayAPI\", \"GatewayAPIController\", \"HighlyAvailableArbiter\", \"ImageModeStatusReporting\", \"ImageStreamImportMode\", \"ImageVolume\", \"IngressControllerDynamicConfigurationManager\", \"IngressControllerLBSubnetsAWS\", \"InsightsConfig\", \"InsightsConfigAPI\", \"InsightsOnDemandDataGather\", \"InsightsRuntimeExtractor\", \"IrreconcilableMachineConfig\", \"KMSEncryptionProvider\", \"KMSv1\", \"MachineAPIMigration\", \"MachineConfigNodes\", \"ManagedBootImages\", \"ManagedBootImagesAWS\", \"ManagedBootImagesAzure\", \"ManagedBootImagesvSphere\", \"MaxUnavailableStatefulSet\", \"MetricsCollectionProfiles\", \"MinimumKubeletVersion\", \"MixedCPUsAllocation\", \"MultiDiskSetup\", \"MutatingAdmissionPolicy\", \"NetworkDiagnosticsConfig\", \"NetworkLiveMigration\", \"NetworkSegmentation\", \"NewOLM\", \"NewOLMCatalogdAPIV1Metas\", \"NewOLMOwnSingleNamespace\", \"NewOLMPreflightPermissionChecks\", \"NewOLMWebhookProviderOpenshiftServiceCA\", \"NodeSwap\", \"NutanixMultiSubnets\", \"OVNObservability\", \"OpenShiftPodSecurityAdmission\", \"PinnedImages\", \"PreconfiguredUDNAddresses\", \"ProcMountType\", \"RouteAdvertisements\", \"RouteExternalCertificate\", \"SELinuxMount\", \"ServiceAccountTokenNodeBinding\", \"SetEIPForNLBIngressController\", \"SignatureStores\", \"SigstoreImageVerification\", \"SigstoreImageVerificationPKI\", \"StoragePerformantSecurityPolicy\", \"TranslateStreamCloseWebsocketRequests\", \"UpgradeStatus\", \"UserNamespacesPodSecurityStandards\", \"UserNamespacesSupport\", \"VSphereConfigurableMaxAllowedBlockVolumesPerNode\", \"VSphereHostVMGroupZonal\", \"VSphereMultiDisk\", \"VSphereMultiNetworks\", \"VolumeAttributesClass\", \"VolumeGroupSnapshot\"}, Disabled:[]v1.FeatureGateName{\"BootImageSkewEnforcement\", \"ClusterAPIInstall\", \"ClusterVersionOperatorConfiguration\", \"EventedPLEG\", \"Example2\", \"ExternalSnapshotMetadata\", \"MachineAPIOperatorDisableMachineHealthCheckController\", \"MultiArchInstallAzure\", \"NoRegistryClusterOperations\", \"ShortCertRotation\", \"VSphereMixedNodeEnv\"}},Source:EventSource{Component:openshift-insights-operator,Host:,},FirstTimestamp:2025-08-27 07:27:45.172440219 +0000 UTC m=+0.570773082,LastTimestamp:2025-08-27 07:27:45.172440219 +0000 UTC m=+0.570773082,Count:1,Type:Normal,EventTime:0001-01-01 00:00:00 +0000 UTC,Series:nil,Action:,Related:nil,ReportingController:openshift-insights-operator,ReportingInstance:,}"
Expected results:
There should be no forbidden related logs.
Additional info:
- clones
-
OCPBUGS-60939 Forbidden errors in Insights Operator pod logs
-
- Verified
-
- is blocked by
-
OCPBUGS-60939 Forbidden errors in Insights Operator pod logs
-
- Verified
-
- is depended on by
-
OCPBUGS-61971 [release-4.19] Forbidden errors in Insights Operator pod logs
-
- Verified
-
- links to