Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-73954

[release 4.19] Backport volumeattachments RBAC permissions to cluster-autoscaler ClusterRole in 4.19.z

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • 4.19.z
    • 4.19.z
    • Cluster Autoscaler
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • In Progress
    • Bug Fix
    • Hide
      Previously the Cluster Autoscaler did not have RBAC permissions for VolumeAttachments which causes a problem on upgrade due to changes in the Cluster Autoscaler requiring those permissions. Now the Cluster Autoscaler is deployed with proper permissions for VolumeAttachments.
      Show
      Previously the Cluster Autoscaler did not have RBAC permissions for VolumeAttachments which causes a problem on upgrade due to changes in the Cluster Autoscaler requiring those permissions. Now the Cluster Autoscaler is deployed with proper permissions for VolumeAttachments.
    • None
    • None
    • None
    • None

      Description of problem:

      Cluster-autoscaler in OpenShift 4.19.17 is missing RBAC permissions

``` 
for volumeattachments, causing errors:    failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: 
    User "system:serviceaccount:openshift-machine-api:cluster-autoscaler" cannot list 
    resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope
```


Fix was merged to main in commit eb9d8e9 (Aug 21, 2025) and included in AUTOSCALE-244 for OpenShift 4.20, but never backported to 4.19 release branch.
https://github.com/openshift/cluster-autoscaler-operator/commit/eb9d8e95aea25c6235a20fd5522d77856b294552

 References:
  - Upstream: kubernetes/autoscaler#7663
  - OpenShift PR: openshift/cluster-autoscaler-operator#351
  - OpenShift JIRA: AUTOSCALE-244 (4.20 only)
  - Commit: eb9d8e95aea25c6235a20fd5522d77856b294552

Workaround is not working as patching the clusterrole gets overwritten, so the error comes back after a while.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

       1. Deploy OpenShift 4.19.x cluster with cluster-autoscaler enabled
 2. Check cluster-autoscaler pod logs in openshift-machine-api namespace
 3. Observe volumeattachment permission errors

      Actual results:

      Expected results:

      Additional info:

              mimccune@redhat.com Michael McCune
              abdullahsikder Abdullah Sikder
              None
              None
              Paul Rozehnal Paul Rozehnal
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: