Bug 1906588

Summary: [ci][sig-builds] nodes is forbidden: User "e2e-test-jenkins-pipeline-xfghs-user" cannot list resource "nodes" in API group "" at the cluster scope
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.7CC: adam.kaplan, aos-bugs
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:41:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gabe Montero 2020-12-10 20:22:12 UTC
A combo of the new k8s e2e framework and other conceivable issues revealed a timing window where the build jenkins pipeline strategy e2e's would change the user while the k8s e2e setup code was trying to list the nodes.

The user stemming from its NewCLI calls by default does not, nor should it have, permissions to list nodes.

A restructure of when NewCLI is called fixes  the problem.

See https://coreos.slack.com/archives/CEKNRGF25/p1607517832067700 for the tl;dr

Comment 2 Gabe Montero 2020-12-11 22:35:09 UTC
verified by PR CI e2e-*-builds passing

Comment 5 errata-xmlrpc 2021-02-24 15:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.