-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.21
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem
While checking oc adm inspect clusteroperator output in CI, I noticed that many components install ClusterRoles via release image manifests, but fail to mention them in their ClusterOperator's relatedObjects. The olm ClusterOperator is one of these, with https://amd64.ocp.releases.ci.openshift.org/ > 4-dev-preview > 4.21.0-ec.2 > aws-ovn-serial-1of2 > Artifacts > inspected ClusterOperators:
$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-serial-1of2/1980906989932253184/artifacts/e2e-aws-ovn-serial/gather-extra/artifacts/inspect/cluster-scoped-resources/config.openshift.io/clusteroperators/olm.yaml | yaml2json | jq -c '.status.relatedObjects[]' | grep clusterroles
{"group":"rbac.authorization.k8s.io","name":"catalogd-manager-role","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"catalogd-metrics-reader","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"catalogd-proxy-role","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"operator-controller-metrics-reader","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"operator-controller-proxy-role","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"operator-controller-clusterextension-viewer-role","resource":"clusterroles"}
{"group":"rbac.authorization.k8s.io","name":"operator-controller-manager-role","resource":"clusterroles"}
despite requesting a cluster-olm-operator ClusterRole. To facilitate the gathering of resources relevant to the component, the ClusterOperator's relatedObjects should be expanded to reference that ClusterRole, and any other resources that might be relevant to debugging the component, as described in the ClusterOperator docs. Note that some inspect lookup is implicit as part of a namespace reference, but that will obviously not pick up resources that are cluster scoped, like ClusterRole.
Version-Release number of selected component
Seen in 4.21.0-ec.2 CI. Likely applies to many other versions, but I have not audited.
How reproducible
Every time.
Steps to Reproduce
1. Install a cluster.
2. Inspect the ClusterOperator: oc adm inspect clusteroperator/olm.
3. Ensure all the resources relevant to debugging that component are present in the output.
Actual results
$ ls inspect.local.*/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles catalogd-manager-role.yaml operator-controller-clusterextension-editor-role.yaml operator-controller-extension-viewer-role.yaml operator-controller-proxy-role.yaml catalogd-metrics-reader.yaml operator-controller-clusterextension-viewer-role.yaml operator-controller-manager-role.yaml catalogd-proxy-role.yaml operator-controller-extension-editor-role.yaml operator-controller-metrics-reader.yaml
Expected results
cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles/cluster-olm-operator.yaml should be collected, along with any other cluster-scoped resources which would be useful for debugging the component.
Additional info
In addition to expanding relatedObjects in your reconciled ClusterOperator status (likely Go code in your controller), you may want to extend the entries in your ClusterOperator release image manifest. Definitely expand the manifest if you think you might need the resource collected to debug "why is my Go controller failing to update ClusterOperator status.relatedObjects?", so the CVO can put that entry in place if your operator fails to install.
- clones
-
-
- POST
-