Bug 2104984

Summary: Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations
Product: multicluster engine for Kubernetes Reporter: Trey West <trwest>
Component: Infrastructure OperatorAssignee: Michael Filanov <mfilanov>
Status: CLOSED ERRATA QA Contact: Chad Crum <ccrum>
Severity: high Docs Contact: Derek <dcadzow>
Priority: unspecified    
Version: 2.1CC: cbynum, ccrum, ecai, trwest, yfirst
Target Milestone: ---Flags: cbynum: multicluster-engine-2.1+
cbynum: multicluster-engine-2.1.z+
Target Release: mce-2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-06 22:33:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trey West 2022-07-07 15:50:33 UTC 
Description of the problem:

Infrastructure operator experiencing permission errors due to lacking permissions to create mutatingwebhookconfigurations.

This is indirectly causing validatingwebhookconfigurations to break, because the infrastructure operator is practically stuck in a loop hitting the mutatingwebhookconfigurations permissions errors and so it's not doing its job of reconciling other resources.

Release version:

Operator snapshot version:
MCE 2.1 (2.1.0-DOWNANDBACK-2022-07-07-08-17-35)

OCP version:
4.11

Steps to reproduce:
1. Install a hub cluster with 2.1.0-DOWNANDBACK-2022-07-07-08-17-35

Actual results:
Infrastructure operator pod cannot create mutatingwebhookconfigurations and is stuck in a loop
Expected results:
mutatingwebhookconfigurations created as expected and the operator is fully functional

Additional info:


Logs from infrastructure-operator pod:
W0707 15:49:37.175312       1 reflector.go:324] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:250: failed to list *v1.MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:multicluster-engine:assisted-service" cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope
E0707 15:49:37.175372       1 reflector.go:138] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:250: Failed to watch *v1.MutatingWebhookConfiguration: failed to list *v1.MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:multicluster-engine:assisted-service" cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope
Comment 1 Sarah Lavie 2022-07-10 08:38:48 UTC 
Solved by taking the newest operator build as far as I know.
Comment 2 Trey West 2022-07-12 12:26:39 UTC 
Verified that this behavior no longer occurs on 2.1.0-DOWNANDBACK-2022-07-08-09-45-12
Comment 6 errata-xmlrpc 2022-09-06 22:33:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6370