Bug 1844760

Summary: Vertical Pod Autoscaler (VPA) updater cannot get resource "leases"
Product: OpenShift Container Platform Reporter: Joel Smith <joelsmith>
Component: NodeAssignee: Joel Smith <joelsmith>
Status: CLOSED ERRATA QA Contact: Weinan Liu <weinliu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, jokerman
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:05:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1844775    

Description Joel Smith 2020-06-06 23:16:40 UTC 
Description of problem:

Two new RBAC changes were made in VPA upstream that don't exist in our OLM manifests, so the new version of the VPA controllers won't run. Here are the upstream changes.

https://github.com/kubernetes/autoscaler/commit/91b955316e6731f81ce8fc0c11c86db6a6300e2f#diff-d0e893b6e6e2716c431b53ecf48088b5R267
https://github.com/kubernetes/autoscaler/commit/572331a244eb30fad83e8bed7882b4756ba9d21c#diff-d0e893b6e6e2716c431b53ecf48088b5R290

The updater fails with repeating messages like this:

E0606 21:46:48.385779       1 updater.go:114] Error getting Admission Controller status: leases.coordination.k8s.io "vpa-admission-controller" is forbidden: User "system:serviceaccount:openshift-vertical-pod-autoscaler:vpa-updater" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "kube-system". Skipping eviction loop

Version-Release number of selected component (if applicable):



How reproducible:
100%

Steps to Reproduce:
Follow existing test cases at https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitems?query=NOT%20HAS_VALUE%3Aresolution%20AND%20trello%3AOCPNODE%5C-173

1. Install VPA via OperatorHub using ART-built images
2. Deploy an application and configure the VPA to monitor and update it
3. Observe that the VPA does not update the applications
4. Check updater logs: oc logs -n openshift-vertical-pod-autoscaler deployment.apps/vpa-updater-default


Actual results:
Pod updates never happen, error messages in the updater log.

Expected results:
Pop updates happen, no error messages.


Additional info:
Comment 5 errata-xmlrpc 2020-10-27 16:05:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196