Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-100

elasticsearch-proxy clusterrolebinding has been overwritten as istio-system elasticsearch even though openshif-logging elasticsearch is configured that.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • OSSM 1.1.0
    • OSSM GA
    • Tracing
    • None
    • Service Mesh 1.1.0

      If openshift-logging is running on the OCP4.1, Jager which is configured by "template: production-elasticsearch" would replace namespace "openshift-logging" with "istio-system" in elasticsearch-proxy ClusterRoleBinding subjects section.

        apiVersion: maistra.io/v1
  kind: ServiceMeshControlPlane
  spec:     istio:       tracing:         jaeger:           template: production-elasticsearch
          elasticsearch:             nodeCount: 3
            redundancyPolicy:             resources:               requests:                 memory: "16Gi"
                cpu: "1"
              limits:                 memory: "16Gi"

      Before installing Service Mesh,

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:   creationTimestamp: "2019-10-07T05:49:31Z"
  name: elasticsearch-proxy
  ownerReferences:   - apiVersion: logging.openshift.io/v1
    controller: true
    kind: Elasticsearch
    name: elasticsearch
...
roleRef:   apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: elasticsearch-proxy
subjects: - kind: ServiceAccount
  name: elasticsearch
  namespace: openshift-logging

      After Installing Jager with elasticsearch

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:   creationTimestamp: "2019-10-07T05:49:31Z"
  name: elasticsearch-proxy
  ownerReferences:   - apiVersion: logging.openshift.io/v1
    controller: true
    kind: Elasticsearch
    name: elasticsearch
...
roleRef:   apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: elasticsearch-proxy
subjects: - kind: ServiceAccount
  name: elasticsearch
  namespace: istio-system

      This issue is a root cause of following elasticsearch error in openshift-logging.

      Unable to find source-code formatter for language: shell. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      2019/10/04 12:35:22 oauthproxy.go:782: 10.0.1.11:36836 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-logging:elasticsearch" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope

              ploffay@redhat.com Pavol Loffay
              rhn-support-dapark Daein Park
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: