Bug 1579275

Summary: csi-attacher and csi-provisioner containers report: "system:serviceaccount:csi:cinder-csi" cannot create events in the namespace
Product: OpenShift Container Platform Reporter: Qin Ping <piqin>
Component: StorageAssignee: Jan Safranek <jsafrane>
Status: CLOSED ERRATA QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.10.0CC: aos-bugs, aos-storage-staff
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:15:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qin Ping 2018-05-17 09:39:53 UTC 
Description of problem:
csi-attacher and csi-provisioner containers report: "system:serviceaccount:csi:cinder-csi" cannot create events in the namespace

Version-Release number of selected component (if applicable):
oc v3.10.0-0.47.0
openshift v3.10.0-0.47.0
kubernetes v1.10.0+b81c8f8
csi-provisioner-0.2.0-1.el7.x86_64
csi-attacher-0.2.0-3.git27299be.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Deploy csi per https://github.com/openshift/openshift-docs/pull/8783/files
2. Create a new project "mytest"
3. Create a dynamic provisioning PVC
4. Create a Pod using the PVC
5. Check csi-attacher and csi-provisioner container logs

Actual results:
E0517 07:49:39.966624       1 event.go:200] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"pvc1.152f5f1db90cc896", GenerateName:"", Namespace:"mytest", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"mytest", Name:"pvc1", UID:"bc075a46-59a6-11e8-9901-fa163ef2534f", APIVersion:"v1", ResourceVersion:"42525", FieldPath:""}, Reason:"ProvisioningSucceeded", Message:"Successfully provisioned volume kubernetes-dynamic-pv-d91f2ede59a611e8", Source:v1.EventSource{Component:"csi-cinderplugin 619359df-59a6-11e8-a764-0a580a810143", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbeb76ae4f987ca96, ext:205054979646, loc:(*time.Location)(0x1b2aa40)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbeb76ae4f987ca96, ext:205054979646, loc:(*time.Location)(0x1b2aa40)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:csi:cinder-csi" cannot create events in the namespace "mytest": User "system:serviceaccount:csi:cinder-csi" cannot create events in project "mytest"' (will not retry!)

E0517 07:45:53.676772       1 event.go:200] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"external-attacher-leader-csi-cinderplugin.152f5ee909029a7c", GenerateName:"", Namespace:"csi", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"ConfigMap", Namespace:"csi", Name:"external-attacher-leader-csi-cinderplugin", UID:"5397eb9e-59a6-11e8-9901-fa163ef2534f", APIVersion:"v1", ResourceVersion:"42033", FieldPath:""}, Reason:"LeaderElection", Message:"cinder-csi-controller-7cf6599796-vp6lw became leader", Source:v1.EventSource{Component:"external-attacher-leader-csi-cinderplugin cinder-csi-controller-7cf6599796-vp6lw", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbeb76aac6823f07c, ext:5334588587, loc:(*time.Location)(0x1ba07a0)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbeb76aac6823f07c, ext:5334588587, loc:(*time.Location)(0x1ba07a0)}}, Count:1, Type:"Normal", EventTime:v1.MicroTime{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events is forbidden: User "system:serviceaccount:csi:cinder-csi" cannot create events in the namespace "csi": User "system:serviceaccount:csi:cinder-csi" cannot create events in project "csi"' (will not retry!)


Expected results:

Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
Comment 1 Jan Safranek 2018-05-21 13:06:22 UTC 
Good catch, I updated the documentation in https://github.com/openshift/openshift-docs/pull/8783

I'm moving it to ON_QA - there is no code change, just the documentation update.
Comment 2 Qin Ping 2018-05-23 02:05:21 UTC 
The doc PR LGTM.
Comment 4 errata-xmlrpc 2018-07-30 19:15:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816