Created attachment 1294930 [details] logs Description of problem: After upgrading to latest OCP packages,creation of new pods fails Version-Release number of selected component (if applicable): OCP packages : atomic-openshift-node-3.6.135-1.git.0.56fd7dc.el7.x86_64 atomic-openshift-sdn-ovs-3.6.135-1.git.0.56fd7dc.el7.x86_64 atomic-openshift-clients-3.6.135-1.git.0.56fd7dc.el7.x86_64 atomic-openshift-master-3.6.135-1.git.0.56fd7dc.el7.x86_64 atomic-openshift-3.6.135-1.git.0.56fd7dc.el7.x86_64 tuned-profiles-atomic-openshift-node-3.6.135-1.git.0.56fd7dc.el7.x86_64 # kubectl version Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1+5115d708d7", GitCommit:"fff65cf", GitTreeState:"clean", BuildDate:"2017-07-05T18:23:39Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.1+5115d708d7", GitCommit:"fff65cf", GitTreeState:"clean", BuildDate:"2017-07-05T18:23:39Z", GoVersion:"go1.7.6", Compiler:"gc", Platform:"linux/amd64"} How reproducible: I believe packages are affected Steps to Reproduce: 1. update to above packages 2. try to create new pods Actual results: pods creation will fail. In logs it will be visible as attached Expected results: Check logs for an attempt to create pods Additional info:
This a 3.5 -> 3.6 upgrade or a 3.6 -> newer 3.6 upgrade?
did you reconcile roles after upgrade?
(In reply to Derek Carr from comment #2) > did you reconcile roles after upgrade? what is process to do this? (In reply to Seth Jennings from comment #1) > This a 3.5 -> 3.6 upgrade or a 3.6 -> newer 3.6 upgrade? this was upgrade from 3.5-> latest 3.6
Process for reconciling roles after upgrade is here: https://docs.openshift.org/latest/install_config/upgrading/manual_upgrades.html#updating-policy-definitions
to clarify the bug, the issue looks to be following: 1. user creates a daemonset 2. daemonset controller attempts to create the pod Actual result: daemonset is denied based on policy the ability to create a pod. Jul 6 08:14:09 gprfs013 atomic-openshift-master: E0706 08:14:09.536877 63878 daemoncontroller.go:630] unable to create pods: User "system:serviceaccount:kube-system:daemon-set-controller" cannot create pods in project "cnscluster"
I logged in to the cluster and reconciled roles/rolebindings/sccs per comment 4. Pods are creating successfully now. Closing this bz. @ekuric Please re-open if you disagree.