-
Bug
-
Resolution: Done-Errata
-
Blocker
-
rhos-18.0.0
-
None
-
False
-
-
False
-
?
-
No Docs Impact
-
?
-
?
-
None
-
Release Note Not Required
-
-
-
Approved
-
Critical
The controllers of the service operators will create a service account in the respective namespace, used to run the services. Starting with OCP 4.16, it changed to use patching the sa.
ovncontroller False ServiceAccount error occurred Error creating service account ovncontroller-ovncontroller *v1.ServiceAccount openstack/ovncontroller-ovncontroller: serviceaccounts "ovncontroller-ovncontroller" is forbidden: User "system:serviceaccount:openstack-operators:ovn-operator-controller-manager" cannot patch resource "serviceaccounts" in API group "" in the namespace "openstack"Â
The current RBAC priv in the service operators is missing the patch privilege on the serviceaccounts resource:
Â
$ grep -R resources=serviceaccounts * barbican-operator/controllers/barbican_controller.go://+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update cinder-operator/controllers/cinder_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update designate-operator/controllers/designate_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update glance-operator/controllers/glance_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update heat-operator/controllers/heat_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update horizon-operator/controllers/horizon_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update infra-operator/controllers/memcached/memcached_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update infra-operator/controllers/network/dnsmasq_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update infra-operator/controllers/instanceha/instanceha_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ironic-operator/controllers/ironic_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ironic-operator/controllers/ironicapi_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ironic-operator/controllers/ironicinspector_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ironic-operator/controllers/ironicneutronagent_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ironic-operator/controllers/ironicconductor_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update keystone-operator/controllers/keystoneapi_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update manila-operator/controllers/manila_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update mariadb-operator/controllers/galera_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update neutron-operator/controllers/neutronapi_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update nova-operator/controllers/nova_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update octavia-operator/controllers/amphoracontroller_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update octavia-operator/controllers/octavia_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update openstack-baremetal-operator/controllers/openstackprovisionserver_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update openstack-operator/controllers/client/openstackclient_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch openstack-operator/controllers/dataplane/openstackdataplanenodeset_controller.go://+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ovn-operator/controllers/ovncontroller_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ovn-operator/controllers/ovndbcluster_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update ovn-operator/controllers/ovnnorthd_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update placement-operator/controllers/placementapi_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update swift-operator/controllers/swift_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update telemetry-operator/controllers/autoscaling_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update telemetry-operator/controllers/ceilometer_controller.go:// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
the operators need to have
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
Let's add patch to all rbac rule that already has update today to avoid the same situation in the future.
$ egrep -e "kubebuilder:rbac.*update" -R | grep -v patch
