Bug 2057060

Summary:	[CAPI] Unable to create ClusterDeployment due to service account restrictions (ACM + Bundled Assisted)
Product:	Red Hat Advanced Cluster Management for Kubernetes	Reporter:	Chad Crum <ccrum>
Component:	Infrastructure Operator	Assignee:	Eran Cohen <ercohen>
Status:	CLOSED ERRATA	QA Contact:	Chad Crum <ccrum>
Severity:	high	Docs Contact:	Derek <dcadzow>
Priority:	unspecified
Version:	rhacm-2.5	CC:	asri.jasemi10352, ccrum, daliu, ercohen, jwakely, melind.aetinw81, MeyerJessie283778, normanwolf2972126, quanganhkop01, rorygwgehman, trwest, yfirst
Target Milestone:	---	Flags:	bot-tracker-sync: rhacm-2.5+
Target Release:	rhacm-2.5
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-06-09 02:11:31 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chad Crum 2022-02-22 16:31:52 UTC

Description of the problem:
Unable to create a hypershift hosted cluster with Agent CAPI Provider using RHACM 2.5 bundled Assisted Service/Hive due to service account restrictions:

admission webhook \"ocm.validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedClusterSet

Release version:
ACM 2.5.0-DOWNSTREAM-2022-02-21-19-58-55
OCP management cluster 4.10.0-0.nightly-2022-02-17-234353


Steps to reproduce:
1. Deploy OCP 4.10 via IPI BM in ipv4 env
2. Deploy RHACM 2.5 from DS snapshot and Assisted Service
3. Deploy Hypershift operator
4. Attempt to create hypershift managed cluster using agent capi provider

Actual results:

CAPI provider service account does not have rights to create the Cluster Deployment:

CAPI provider pod logs:                                                                                                                                                                                        
2022-02-22T15:41:15.872Z        ERROR   controller.agentcluster Reconciler error        {"reconciler group": "capi-provider.agent-install.openshift.io", "reconciler kind": "AgentCluster", "name": "hdhcp-0", "namespace": "clusters-hdhcp-0", "error": "admission webhook \"ocm
.validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedClusterSet \"\""}                                                                     
time="2022-02-22T15:57:55Z" level=error msg="Failed to create ClusterDeployment" func="github.com/openshift/cluster-api-provider-agent/controllers.(*AgentClusterReconciler).createClusterDeployment" file="/workspace/controllers/agentcluster_controller.go:259" agent_cluster=
hdhcp-0 agent_cluster_namespace=clusters-hdhcp-0 error="admission webhook \"ocm.validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedCluster
Set \"\""                                                                          

Expected results:
ClusterDeployment created successfully

Additional info:

Comment 1 daliu 2022-02-23 08:16:00 UTC

Currently in ACM, user want to provision a cluster, he/she must have join permission to managedClusterset(If the user do not specify the clusterset in clusterdeployment, the user must have join permission to all managedclusterset). 
So is it possible to add the permission to this service account? 
Permission: https://github.com/stolostron/multicloud-operators-foundation/blob/4445a66a872a56a2bb629b59d764c4b45c3d0fe7/deploy/foundation/hub/resources/clusterrole.yaml#L38
Code logic to validate it: https://github.com/stolostron/multicloud-operators-foundation/blob/4445a66a872a56a2bb629b59d764c4b45c3d0fe7/pkg/webhook/clusterset/validatingWebhook.go#L67

Comment 2 daliu 2022-02-23 09:23:45 UTC

As discussed in https://coreos.slack.com/archives/C01FT9E4Q10/p1645603511153759
it should be ok now.

Comment 3 daliu 2022-02-25 10:12:54 UTC

Fixed in : https://github.com/stolostron/multicloud-operators-foundation/pull/445

Comment 4 Chad Crum 2022-03-23 12:34:11 UTC

Validated this in 2.5.0-DOWNSTREAM-2022-03-22-18-59-30.

I'm able to deploy a hypershift agent based hosted cluster and workers without errors.

Comment 7 errata-xmlrpc 2022-06-09 02:11:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4956

Comment 8 Osscar 2022-12-21 05:30:21 UTC Comment hidden (spam)

(In reply to daliu from comment #1)
> Currently in ACM, user want to provision a cluster, he/she must have join
> permission to managedClusterset(If the user do not specify the clusterset in
> clusterdeployment, the user must have join permission to all
> managedclusterset). 
> So is it possible to add the permission to this service account? 
> Permission:
> https://github.com/stolostron/multicloud-operators-foundation/blob/
> 4445a66a872a56a2bb629b59d764c4b45c3d0fe7/deploy/foundation/hub/resources/
> https://madalinstuntcars.co
> clusterrole.yaml#L38
> Code logic to validate it:
> https://github.com/stolostron/multicloud-operators-foundation/blob/
> 4445a66a872a56a2bb629b59d764c4b45c3d0fe7/pkg/webhook/clusterset/
> validatingWebhook.go#L67

How about this registration problem?

Comment 9 daliu 2022-12-22 01:25:21 UTC

@normanwolf2972126 
For this issue, we already fixed in https://bugzilla.redhat.com/show_bug.cgi?id=2057060#c3
Do you have any new requirement or is there any new issues happened ?

Comment 10 nazi.farhadi3171 2022-12-30 05:44:58 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 11 jenny 2023-01-05 05:55:36 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 12 jenny 2023-01-05 05:56:05 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 13 Elise Campbell 2023-01-05 09:08:39 UTC Comment hidden (spam)

Thanks for sharing such great information..   
https://www.myadvocateaurora.us/

Comment 14 melindaetinw81 2023-01-12 06:40:50 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 15 Darlene Osborne 2023-01-16 09:57:02 UTC Comment hidden (spam)

I totally like your gave limits as the post you passed on has some uncommon information which is totally essential for me. https://www.myfloridaaccess.me/

Comment 16 smith5742 2023-02-09 09:27:00 UTC Comment hidden (spam)

The solution worked for me https://www.myatriumhealth.us/

Comment 17 jems6385 2023-04-10 10:08:32 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 18 Jonathan Wakely 2023-06-07 09:28:07 UTC

(In reply to daliu from comment #9)
> Do you have any new requirement or is there any new issues happened ?

It's a spam comment, there's an SEO link hidden in the middle of the comment.

Comment 19 konnie 2023-07-31 10:03:15 UTC Comment hidden (spam)

Awesome and interesting article. Great things you’ve always shared with us. Thanks. Just continue composing this kind of post.
    https://www.screenmirroring.onl/screen-mirroring-your-android-phone-to-your-pc-without-root-using-mirrorgo/

Comment 20 quanganhkop01 2023-07-31 10:04:43 UTC Comment hidden (spam)

Thanks for the information. https://www.mythdhr.ltd/