Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61845

[release-4.20]Forbidden errors in Insights Operator pod logs

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-60939. The following is the description of the original issue:

      Description of problem:

          There are some forbidden errors appearing in the IO pod. We need to add the required permissions for these resources to avoid this kind of log.

      Version-Release number of selected component (if applicable):

      How reproducible:

          View the IO pod logs, it would naturally exist this kind of forbidden error logs.

      Steps to Reproduce:

          1. View IO pod logs via oc logs <IO-pod> | grep forbidden

      Actual results:

      Current IO logs still have the following errors:    
W0827 07:27:44.647471       1 builder.go:272] unable to get owner reference (falling back to namespace): replicasets.apps "insights-operator-65774dc9b4" is forbidden: User "system:serviceaccount:openshift-insights:operator" cannot get resource "replicasets" in API group "apps" in the namespace "openshift-insights"
E0827 07:27:45.173784       1 event.go:359] "Server rejected event (will not retry!)" err="events is forbidden: User \"system:serviceaccount:openshift-insights:operator\" cannot create resource \"events\" in API group \"\" in the namespace \"openshift-insights\"" event="&Event{ObjectMeta:{openshift-insights.185f8f0ce0d8649b  openshift-insights    0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},InvolvedObject:ObjectReference{Kind:Namespace,Namespace:openshift-insights,Name:openshift-insights,UID:,APIVersion:v1,ResourceVersion:,FieldPath:,},Reason:FeatureGatesInitialized,Message:FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{\"AWSClusterHostedDNS\", \"AWSClusterHostedDNSInstall\", \"AWSDedicatedHosts\", \"AWSServiceLBNetworkSecurityGroup\", \"AdditionalRoutingCapabilities\", \"AdminNetworkPolicy\", \"AlibabaPlatform\", \"AutomatedEtcdBackup\", \"AzureClusterHostedDNSInstall\", \"AzureDedicatedHosts\", \"AzureMultiDisk\", \"AzureWorkloadIdentity\", \"BootcNodeManagement\", \"BuildCSIVolumes\", \"CPMSMachineNamePrefix\", \"ClusterAPIInstallIBMCloud\", \"ClusterMonitoringConfig\", \"ConsolePluginContentSecurityPolicy\", \"DNSNameResolver\", \"DualReplica\", \"DyanmicServiceEndpointIBMCloud\", \"DynamicResourceAllocation\", \"EtcdBackendQuota\", \"Example\", \"ExternalOIDC\", \"ExternalOIDCWithUIDAndExtraClaimMappings\", \"GCPClusterHostedDNS\", \"GCPClusterHostedDNSInstall\", \"GCPCustomAPIEndpoints\", \"GCPCustomAPIEndpointsInstall\", \"GatewayAPI\", \"GatewayAPIController\", \"HighlyAvailableArbiter\", \"ImageModeStatusReporting\", \"ImageStreamImportMode\", \"ImageVolume\", \"IngressControllerDynamicConfigurationManager\", \"IngressControllerLBSubnetsAWS\", \"InsightsConfig\", \"InsightsConfigAPI\", \"InsightsOnDemandDataGather\", \"InsightsRuntimeExtractor\", \"IrreconcilableMachineConfig\", \"KMSEncryptionProvider\", \"KMSv1\", \"MachineAPIMigration\", \"MachineConfigNodes\", \"ManagedBootImages\", \"ManagedBootImagesAWS\", \"ManagedBootImagesAzure\", \"ManagedBootImagesvSphere\", \"MaxUnavailableStatefulSet\", \"MetricsCollectionProfiles\", \"MinimumKubeletVersion\", \"MixedCPUsAllocation\", \"MultiDiskSetup\", \"MutatingAdmissionPolicy\", \"NetworkDiagnosticsConfig\", \"NetworkLiveMigration\", \"NetworkSegmentation\", \"NewOLM\", \"NewOLMCatalogdAPIV1Metas\", \"NewOLMOwnSingleNamespace\", \"NewOLMPreflightPermissionChecks\", \"NewOLMWebhookProviderOpenshiftServiceCA\", \"NodeSwap\", \"NutanixMultiSubnets\", \"OVNObservability\", \"OpenShiftPodSecurityAdmission\", \"PinnedImages\", \"PreconfiguredUDNAddresses\", \"ProcMountType\", \"RouteAdvertisements\", \"RouteExternalCertificate\", \"SELinuxMount\", \"ServiceAccountTokenNodeBinding\", \"SetEIPForNLBIngressController\", \"SignatureStores\", \"SigstoreImageVerification\", \"SigstoreImageVerificationPKI\", \"StoragePerformantSecurityPolicy\", \"TranslateStreamCloseWebsocketRequests\", \"UpgradeStatus\", \"UserNamespacesPodSecurityStandards\", \"UserNamespacesSupport\", \"VSphereConfigurableMaxAllowedBlockVolumesPerNode\", \"VSphereHostVMGroupZonal\", \"VSphereMultiDisk\", \"VSphereMultiNetworks\", \"VolumeAttributesClass\", \"VolumeGroupSnapshot\"}, Disabled:[]v1.FeatureGateName{\"BootImageSkewEnforcement\", \"ClusterAPIInstall\", \"ClusterVersionOperatorConfiguration\", \"EventedPLEG\", \"Example2\", \"ExternalSnapshotMetadata\", \"MachineAPIOperatorDisableMachineHealthCheckController\", \"MultiArchInstallAzure\", \"NoRegistryClusterOperations\", \"ShortCertRotation\", \"VSphereMixedNodeEnv\"}},Source:EventSource{Component:openshift-insights-operator,Host:,},FirstTimestamp:2025-08-27 07:27:45.172440219 +0000 UTC m=+0.570773082,LastTimestamp:2025-08-27 07:27:45.172440219 +0000 UTC m=+0.570773082,Count:1,Type:Normal,EventTime:0001-01-01 00:00:00 +0000 UTC,Series:nil,Action:,Related:nil,ReportingController:openshift-insights-operator,ReportingInstance:,}"

      Expected results:

          There should be no forbidden related logs.

      Additional info:

              opokorny@redhat.com Ondrej Pokorny
              rh-ee-bazhou Baiyang Zhou
              None
              None
              Baiyang Zhou Baiyang Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: