Bug 1812680

Summary: [4.5] Incorrect RBAC for Whereabouts should be updated to ippools.whereabouts.cni.cncf.io
Product: OpenShift Container Platform Reporter: Douglas Smith <dosmith>
Component: NetworkingAssignee: Douglas Smith <dosmith>
Networking sub component: multus QA Contact: Weibin Liang <weliang>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: weliang
Version: 4.5   
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1812678 Environment:
Last Closed: 2020-08-04 18:04:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1812678    

Description Douglas Smith 2020-03-11 20:23:49 UTC 
+++ This bug was initially created as a clone of Bug #1812678 +++

+++ This bug was initially created as a clone of Bug #1812676 +++

Description of problem: The RBAC for the ippools.whereabouts.cni.cncf.io for whereabouts IPAM CNI is incorrect.


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce: Use whereabouts IPAM CNI

Actual results:

```
  Warning  FailedCreatePodSandBox  6s         kubelet, ip-10-0-136-158.us-west-2.compute.internal  Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_openshift-multus_37058433-2564-42f2-aa91-d1b11f4c8bb5_0(7f6354c73261945d7d3c29aad3dd48b94aec7248d92b4650ea8554cc14755153): Multus: [openshift-multus/samplepod]: error adding container to network "whereaboutsexample": delegateAdd: error invoking DelegateAdd - "macvlan": error in getting result from AddNetwork: Error assigning IP: ippools.whereabouts.cni.cncf.io is forbidden: User "system:serviceaccount:openshift-multus:multus" cannot list resource "ippools" in API group "whereabouts.cni.cncf.io" in the namespace "openshift-multus"

```


Expected results: No error.


Additional info: This is the offending line @ https://github.com/openshift/cluster-network-operator/pull/526/files#diff-44eeae854395120fe566c1e3ddd5429bR88

This was found while diagnosing https://bugzilla.redhat.com/show_bug.cgi?id=1812245 which is also related to the change of CRD namespace for Whereabouts IPAM CNI.
Comment 1 Douglas Smith 2020-03-30 20:36:21 UTC 
Modified in 4.5 @ https://github.com/openshift/cluster-network-operator/pull/527
Comment 2 Weibin Liang 2020-03-31 15:20:16 UTC 
Tested and verified in 4.5.0-0.nightly-2020-03-30-182417:

[weliang@weliang FILE]$ oc rsh pod-macvlan-bridge-whereabouts1
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 8951 qdisc noqueue state UP 
    link/ether 0a:58:0a:81:02:0e brd ff:ff:ff:ff:ff:ff
    inet 10.129.2.14/23 brd 10.129.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fc61:4eff:fe57:1a0a/64 scope link 
       valid_lft forever preferred_lft forever
4: net1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 9001 qdisc noqueue state UP 
    link/ether e6:ae:c7:68:84:a6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.226/28 brd 192.168.2.239 scope global net1
       valid_lft forever preferred_lft forever
    inet6 fe80::e4ae:c7ff:fe68:84a6/64 scope link 
       valid_lft forever preferred_lft forever
Comment 5 errata-xmlrpc 2020-08-04 18:04:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409