Bug 1832830
| Summary: | "cannot create resource subjectaccessreviews/tokenreviews at the cluster scope" error info in alertmanager pod's alertmanager-proxy container logs | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Junqi Zhao <juzhao> |
| Component: | Monitoring | Assignee: | Simon Pasquier <spasquie> |
| Status: | CLOSED DUPLICATE | QA Contact: | Junqi Zhao <juzhao> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.5 | CC: | alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, spasquie, surbania |
| Target Milestone: | --- | Keywords: | Regression, Reopened |
| Target Release: | 4.5.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-20 15:44:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Junqi Zhao
2020-05-07 10:56:11 UTC
reproduced with 4.5.0-0.nightly-2020-05-18-225907 # oc -n openshift-monitoring logs alertmanager-main-0 -c alertmanager-proxy 2020/05/19 23:40:27 provider.go:118: Defaulting client-id to system:serviceaccount:openshift-monitoring:alertmanager-main 2020/05/19 23:40:27 provider.go:123: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token 2020/05/19 23:40:27 provider.go:312: Delegation of authentication and authorization to OpenShift is enabled for bearer tokens and client certificates. 2020/05/19 23:40:27 oauthproxy.go:200: mapping path "/" => upstream "http://localhost:9093/" 2020/05/19 23:40:27 oauthproxy.go:221: compiled skip-auth-regex => "^/metrics" 2020/05/19 23:40:27 oauthproxy.go:227: OAuthProxy configured for Client ID: system:serviceaccount:openshift-monitoring:alertmanager-main 2020/05/19 23:40:27 oauthproxy.go:237: Cookie settings: name:_oauth_proxy secure(https):true httponly:true expiry:168h0m0s domain:<default> refresh:disabled 2020/05/19 23:40:27 http.go:107: HTTPS: listening on [::]:9095 I0519 23:40:27.265549 1 dynamic_serving_content.go:129] Starting serving::/etc/tls/private/tls.crt::/etc/tls/private/tls.key 2020/05/20 03:31:54 provider.go:394: authorizer reason: E0520 06:00:30.171891 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 06:00:30.171913 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 06:00:30 oauthproxy.go:782: requestauth: 10.128.2.10:59668 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 06:00:30 oauthproxy.go:782: requestauth: 10.129.2.5:52020 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 06:45:30.170023 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 06:45:30 oauthproxy.go:782: requestauth: 10.128.2.10:59668 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 06:45:30.170052 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 06:45:30 oauthproxy.go:782: requestauth: 10.129.2.5:52020 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 07:30:30.171702 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 07:30:30 oauthproxy.go:782: requestauth: 10.129.2.5:52020 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 07:30:30.171713 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 07:30:30 oauthproxy.go:782: requestauth: 10.128.2.10:59668 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 08:04:13.466773 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 08:04:13 oauthproxy.go:782: requestauth: 10.128.2.10:59668 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope E0520 08:04:13.466804 1 webhook.go:109] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope 2020/05/20 08:04:13 oauthproxy.go:782: requestauth: 10.129.2.5:52020 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:alertmanager-main" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope # oc get tokenreviews -A Error from server (MethodNotAllowed): the server does not allow this method on the requested resource # oc get subjectaccessreviews -A Error from server (MethodNotAllowed): the server does not allow this method on the requested resource Closing as a duplicate because this is exactly the same error than returned by the Kubernetes API in bug 1832825. *** This bug has been marked as a duplicate of bug 1832825 *** |