Bug 2059187

Summary: [Secondary Scheduler] - key failed with : serviceaccounts "secondary-scheduler" is forbidden
Product: OpenShift Container Platform Reporter: RamaKasturi <knarra>
Component: kube-schedulerAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.10CC: jchaloup, mfojtik
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:51:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description RamaKasturi 2022-02-28 12:56:57 UTC 
Description of problem:
I see that CR instance of secondary scheduler operator does not get created and below error is seen in the scheduler logs.

E0228 10:52:16.282598       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:02:16.286321       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:02:16.290806       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:08:25.709429       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:08:25.715570       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:12:16.275984       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:12:16.280316       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"


Version-Release number of selected component (if applicable):
secondary-scheduler-operator-container-v1.0-5

How reproducible:
Always

Steps to Reproduce:
1. Install latest 4.10 cluster
2. Install secondary scheduler operator
3. create configmap using the file https://github.com/openshift/secondary-scheduler-operator/blob/master/deploy/06_configmap.yaml
4. create instance for CR with name secondary-scheduler

Actual results:
I see that CR instance does not get created and looking at the scheduler operator logs hit below error.

I0228 11:08:25.709429       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:08:25.715570       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:12:16.275984       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:12:16.280316       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"


Expected results:
RBAC should not be missed for serviceaccounts


Additional info:
https://github.com/openshift/secondary-scheduler-operator/blob/master/manifests/cluster-secondary-scheduler-operator.clusterserviceversion.yaml#L101 is missing the serviceaccounts RBAC. Compared to https://github.com/openshift/secondary-scheduler-operator/blob/master/deploy/02_clusterrole.yaml#L22.
Comment 3 RamaKasturi 2022-03-03 10:10:51 UTC 
Verified with the latest SSO and do not see this issue anymore. Based on this moving bug to verified state.
Comment 6 errata-xmlrpc 2022-08-10 10:51:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069