Bug 1561247 - [starter-us-east-1b] Unable to apply auto-approver resource definitions: no kind \"ClusterRoleBinding\" is registered for version \"rbac.authorization.k8s.io/v1\"
Summary: [starter-us-east-1b] Unable to apply auto-approver resource definitions: no k...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.9.z
Assignee: Russell Teague
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1566238
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-28 00:16 UTC by Justin Pierce
Modified: 2018-05-17 06:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The master admin.kubeconfig was added to the oc command to allow the operation to have the proper authorization and access to the necessary resources.
Clone Of:
Environment:
Last Closed: 2018-05-17 06:43:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
oc apply error (2.62 KB, text/plain)
2018-03-28 00:16 UTC, Justin Pierce 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1566 None None None 2018-05-17 06:44:07 UTC

Description Justin Pierce 2018-03-28 00:16:00 UTC 
Created attachment 1413938 [details]
oc apply error

Description of problem:
During an upgrade from 3.7 to 3.9, the following error was reported. Retries encounter the same issue. See attached listing. 


Version-Release number of selected component (if applicable):
v3.9.14
Comment 1 Scott Dodson 2018-03-28 21:29:41 UTC 
Which playbook was executed to invoke this role? openshift-ansible doesn't include this in any playbooks other than gce provisioning.
Comment 3 Scott Dodson 2018-03-29 01:08:36 UTC 
Correction, this is called via the control plane upgrade.

https://github.com/openshift/openshift-ansible/blob/master/playbooks/openshift-master/private/upgrade.yml#L83-L85

The problem likely happened because the oc command doesn't utilize the admin kubeconfig and on that particular host root's kubeconfig was in another project at the time. We need to sweep the codebase again for this problem.
Comment 4 Scott Dodson 2018-03-29 13:28:04 UTC 
We're also likely running this code on each master where as I believe it only needs to be run once as it's cluster scoped.
Comment 5 Russell Teague 2018-03-29 19:24:02 UTC 
master: https://github.com/openshift/openshift-ansible/pull/7713
Comment 6 Russell Teague 2018-04-03 19:41:30 UTC 
release-3.9: https://github.com/openshift/openshift-ansible/pull/7758
Comment 7 Russell Teague 2018-04-11 12:25:12 UTC 
Commit is in build openshift-ansible-3.9.20-1.git.0.f99fb43.el7
Comment 10 Gaoyun Pei 2018-04-23 10:03:01 UTC 
Couldn't reproduce this issue with openshift-ansible-3.9.14-1.git.0.ca2cfc3.el7.noarch.rpm when upgrading 3.7 to 3.9.

openshift-ansible wouldn't run the step unless we have openshift_master_bootstrap_enabled=true set in ansible inventory file, tried an upgrade from 3.7 to 3.9 using openshift-ansible-3.9.24-1.git.0.d0289ea.el7.noarch  with openshift_master_bootstrap_enabled=true set, no such error happened.

[root@gpei-preserved ~]# grep -A 2 "Create auto-approver on cluster" logs/0423_upgrade
TASK [openshift_bootstrap_autoapprover : Create auto-approver on cluster] ***************************************************************************************************
changed: [qe-gpei-37master-1.0423-t8x.qe.rhcloud.com] => {"changed": true, "cmd": ["oc", "apply", "-f", "/tmp/openshift-approver/", "--config=/etc/origin/master/admin.kubeconfig"], "delta": "0:00:00.323191", "end": "2018-04-23 04:27:42.663713", "failed": false, "rc": 0, "start": "2018-04-23 04:27:42.340522", "stderr": "", "stderr_lines": [], "stdout": "clusterrolebinding \"bootstrap-autoapprover\" created\nclusterrole \"system:node-bootstrap-autoapprover\" created\nserviceaccount \"bootstrap-autoapprover\" created\nstatefulset \"bootstrap-autoapprover\" created", "stdout_lines": ["clusterrolebinding \"bootstrap-autoapprover\" created", "clusterrole \"system:node-bootstrap-autoapprover\" created", "serviceaccount \"bootstrap-autoapprover\" created", "statefulset \"bootstrap-autoapprover\" created"]}

--
TASK [openshift_bootstrap_autoapprover : Create auto-approver on cluster] ***************************************************************************************************
changed: [qe-gpei-37master-1.0423-t8x.qe.rhcloud.com] => {"changed": true, "cmd": ["oc", "apply", "-f", "/tmp/openshift-approver/", "--config=/etc/origin/master/admin.kubeconfig"], "delta": "0:00:00.386440", "end": "2018-04-23 04:38:44.751348", "failed": false, "rc": 0, "start": "2018-04-23 04:38:44.364908", "stderr": "", "stderr_lines": [], "stdout": "clusterrolebinding \"bootstrap-autoapprover\" configured\nclusterrole \"system:node-bootstrap-autoapprover\" configured\nserviceaccount \"bootstrap-autoapprover\" unchanged\nstatefulset \"bootstrap-autoapprover\" configured", "stdout_lines": ["clusterrolebinding \"bootstrap-autoapprover\" configured", "clusterrole \"system:node-bootstrap-autoapprover\" configured", "serviceaccount \"bootstrap-autoapprover\" unchanged", "statefulset \"bootstrap-autoapprover\" configured"]}

Move this bug to verified.
Comment 13 errata-xmlrpc 2018-05-17 06:43:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566
Note You need to log in before you can comment on or make changes to this bug.