Bug 1836087

Summary: "cannot create resource subjectaccessreviews at the cluster scope" error info in prometheus-adapter pod logs
Product: OpenShift Container Platform Reporter: Junqi Zhao <juzhao>
Component: MonitoringAssignee: Sergiusz Urbaniak <surbania>
Status: CLOSED DUPLICATE QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: low    
Version: 4.5CC: alegrand, anpicker, christopher.obrien, erooth, kakkoyun, lcosic, mloibl, naoto30, pkrupa, spasquie, surbania
Target Milestone: ---Keywords: Regression
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-25 08:51:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1873162    

Description Junqi Zhao 2020-05-15 06:08:54 UTC 
Description of problem:
# oc -n openshift-monitoring  logs prometheus-adapter-587687f4c-g4dt7
I0515 03:53:37.363903       1 adapter.go:94] successfully using in-cluster auth
I0515 03:53:38.139376       1 dynamic_cafile_content.go:166] Starting request-header::/etc/tls/private/requestheader-client-ca-file
I0515 03:53:38.139414       1 dynamic_cafile_content.go:166] Starting client-ca-bundle::/etc/tls/private/client-ca-file
I0515 03:53:38.139626       1 dynamic_serving_content.go:129] Starting serving-cert::/etc/tls/private/tls.crt::/etc/tls/private/tls.key
I0515 03:53:38.140412       1 secure_serving.go:178] Serving securely on [::]:6443
I0515 03:53:38.140485       1 tlsconfig.go:219] Starting DynamicServingCertificateController
E0515 03:54:31.943916       1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 03:54:31.944026       1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:02:40.311308       1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:02:40.311412       1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:20:42.250215       1 reflector.go:307] k8s.io/client-go/informers/factory.go:135: Failed to watch *v1.Node: unknown (get nodes)
E0515 04:20:43.251510       1 reflector.go:153] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot list resource "nodes" in API group "" at the cluster scope

# token=`oc sa get-token prometheus-adapter -n openshift-monitoring`
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://prometheus-k8s.openshift-monitoring.svc:9091/api/v1/query?query=kube_node_info' | jq | head
{
  "status": "success",
  "data": {
    "resultType": "vector",
    "result": [
      {
        "metric": {
          "__name__": "kube_node_info",
          "container_runtime_version": "cri-o://1.18.0-17.dev.rhaos4.5.gitdea34b9.el8",
          "endpoint": "https-main",


# oc api-resources | grep subjectaccessreviews
subjectaccessreviews                                   authorization.k8s.io                  false        SubjectAccessReview
subjectaccessreviews                                   authorization.openshift.io            false        SubjectAccessReview


Version-Release number of selected component (if applicable):
4.5.0-0.nightly-2020-05-14-190315

How reproducible:
recently

Steps to Reproduce:
1. See the description
2.
3.

Actual results:


Expected results:


Additional info: