Bug 1812677
| Summary: | RBAC permissions missing for controller when installed in an openshift 3.x environment | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Erik Nelson <ernelson> | |
| Component: | Migration Tooling | Assignee: | Jason Montleon <jmontleo> | |
| Status: | CLOSED ERRATA | QA Contact: | Xin jiang <xjiang> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.3.z | CC: | jmatthew, jmontleo, sregidor | |
| Target Milestone: | --- | |||
| Target Release: | 4.4.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1812713 (view as bug list) | Environment: | ||
| Last Closed: | 2020-05-28 11:09:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1812713 | |||
Should be able to fix this for 1.1.2 z-stream. It should be a quick fix, looks like some rbac changes were left off the ansible role for non-olm installs. Should be fixed with: https://github.com/konveyor/mig-operator/commit/6496211ccf88e8326143b48debc41a234c223f24 Verified using CAM 1.2 stage 3.9 (controller) -> 4.3 openshift-migration-rhel7-operator@sha256:6afd508558cdbfdfa05b46d0d02c46af59404a1f2bfd09c3272bbcf41900996d Migrations could be executed without errors, with and without PVCs. There was no problem regarding PVC discovering either. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:2326 |
Description of problem: The controller is missing RBAC privileges when attempting to run PV discovery while installed in a 3.x cluster. On MigPlan: - category: Critical lastTransitionTime: "2020-03-11T17:24:51Z" message: 'Reconcile failed: [customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:openshift-migration:migration-controller" cannot list customresourcedefinitions.apiextensions.k8s.io at the cluster scope: no RBAC policy matched]. See controller logs for details.' status: "True" type: ReconcileFailed How reproducible: Every time Steps to Reproduce: 1. Install CAM operator on 3.x, but switch on controller and ui in the MigrationController so that it is acting as the control cluster. (Also make sure to set the API server value as explained in the comment: https://github.com/konveyor/mig-operator/blob/master/deploy/non-olm/v1.1.0/controller-3.yml#L14 2. Configure a 4.x cluster as a 2nd target cluster, configure a replication repo 3. Create a plan and select a namespace with a workload to migrate. 4. PV discovery times out, oc get migplan <name> will show the permission issue seen above. It's missing from the operator's mig_rbac template, so its never created. This is only seen when trying to use a 3.x cluster as a controller, because the permissions in the RBAC of a CSV installed via OLM have the correct permissions. The RBAC that has to be created outside of OLM is out of sync and missing these permissions. End result is that you cannot drive a migration from a 3.x cluster.