-
Bug
-
Resolution: Unresolved
-
Minor
-
4.16.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
In Progress
-
Bug Fix
-
Fixed issue for vSphere where newer clusters using the newer cloud config (yaml) were not honoring minimum read-only permissions for ResourcePools that were provided for cluster.
-
None
-
None
-
None
-
None
Description of problem:
Cluster is getting the following warning message from vsphere-problem-detector: CheckComputeClusterPermissions:<OCP_Node> failed: missing privileges for compute cluster <vSphere Cluster>: Resource.AssignVMToPool, VApp.AssignResourcePool, VApp.Import, VirtualMachine.Config.AddNewDisk According to the documentation, those permissions shouldn't need to be at the cluster level if you're not planning to have the VMs in the cluster root folder, and could be at the Resource Pool level instead. Taking a look at the code (https://github.com/openshift/vsphere-problem-detector/blob/3683c120278fb79a30340f66d22948aaddf3c16a/pkg/check/permissions.go#L64-L69), the check gets triggered independently of the cluster configuration.
Version-Release number of selected component (if applicable):
4.16.z with vCenter version 7.0.3
How reproducible:
The code linked hasn't changed in newer versions so potentially it affects newer versions as well.
Steps to Reproduce:
1. Have a vSphere instance to create UPI OpenShift environment. Must have a Resource Pool where VMs will be created, with permissions: Resource.AssignVMToPool, VApp.AssignResourcePool, VApp.Import and VirtualMachine.Config.AddNewDisk at the Resource Pool level, and those permissions missing from the Cluster, as documentation indicates is the case when not creating VMs at cluster's root (https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/installing_on_vsphere/user-provisioned-infrastructure#installation-vsphere-installer-infra-requirements-account_upi-vsphere-installation-reqs).
2. Create the cluster
Actual results:
vsphere-problem-detector is complaining about permissions not being at the vSphere cluster level, when their VMs are being created in a Resource Pool.
Expected results:
As the VMs are created in a Resource Pool, it should not report a misconfiguration according to the documentation.
Additional info:
- It is observed that vsphere-problem-detector message reports different nodes each time it runs, writing it down just in case it could be relevant:
$ oc logs vsphere-problem-detector-operator-795d4bcf6d-qf2rt
[...]
2025-10-22T14:03:26.444501597Z I1022 14:03:26.444077 1 vsphere_check.go:291] CheckComputeClusterPermissions:<infra-1-Node> failed: missing privileges for compute cluster <vSphere Cluster>: Resource.AssignVMToPool, VApp.AssignResourcePool, VApp.Import, VirtualMachine.Config.AddNewDisk
[...]
2025-10-22T14:05:27.918204730Z I1022 14:05:27.915855 1 vsphere_check.go:291] CheckComputeClusterPermissions:<worker-3-Node> failed: missing privileges for compute cluster <vSphere Cluster>: Resource.AssignVMToPool, VApp.AssignResourcePool, VApp.Import, VirtualMachine.Config.AddNewDisk
[...]
2025-10-22T14:17:35.641420984Z I1022 14:17:35.641397 1 vsphere_check.go:291] CheckComputeClusterPermissions:<infra-3-Node> failed: missing privileges for compute cluster <vSphere Cluster>: Resource.AssignVMToPool, VApp.AssignResourcePool, VApp.Import, VirtualMachine.Config.AddNewDisk
- A documentation bug OCPBUGS-58380 was opened before by a different engineer to verify if the current documentation is accurate as it seems that a discrepancy could exist between the documentation and the code.