-
Bug
-
Resolution: Done
-
Undefined
-
openshift-4.22
-
None
Description of problem:
File assets/components/ovn/common/role.yaml contains two roles: openshift-ovn-kubernetes-node and openshift-ovn-kubernetes-sbdb, but `oc get roles -n openshift-ovn-kubernetes` returns only the first one: openshift-ovn-kubernetes-node. Same problem for: - assets/components/ovn/common/rolebinding.yaml - assets/components/ovn/common/clusterrole.yaml - assets/components/ovn/common/clusterrolebinding.yaml - assets/components/csi-snapshot-controller/05_operand_rbac.yaml $ grep 'metadata:' -A1 assets/components/csi-snapshot-controller/05_operand_rbac.yaml | grep 'name:' name: openshift-csi-snapshot-controller-runner name: openshift-csi-snapshot-controller-role name: csi-snapshot-controller-leaderelection $ oc get clusterrole | grep csi-snapshot-controller openshift-csi-snapshot-controller-runner 2026-02-06T13:51:55Z
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Deploy MicroShift 2. List (cluster) roles and (cluster) role bindings 3. Compare with the assets in repo
Actual results:
Missing objects
Expected results:
All objects present in API
Additional info:
I have no idea why OVN-K works without RBAC... OVN-K master Pod uses `ovn-kubernetes-controller` ServiceAccount which is bound to `openshift-ovn-kubernetes-controller` ClusterRole and it provides privileges to access a lot of APIs like namespaces, nodes, pods, etc... But yet namespaces, nodes, and pods are getting annotations from ovnk. Perhaps it's the CNI binary and it has some super kubeconfig? Initial ideas for solving: - Easy fix is: split the files. - We should also investigate `resourceHandlerV2` in pkg/assets/handler.go - perhaps it handles things better. - Another thing: if OVNK works, maybe they're not needed?