Bug 1570540 - Vmware persistent volumes do not work because of missing clusterrolebinding with vsphere-cloud-provider service account.
Summary: Vmware persistent volumes do not work because of missing clusterrolebinding w...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.9.z
Assignee: Hemant Kumar
QA Contact: Jianwei Hou
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-23 07:30 UTC by Mahesh Taru
Modified: 2018-06-06 15:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-06 15:46:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3421091 0 None None None 2018-04-23 09:14:18 UTC
Red Hat Product Errata RHBA-2018:1796 0 None None None 2018-06-06 15:47:23 UTC

Description Mahesh Taru 2018-04-23 07:30:19 UTC
Description of problem:
When trying to create PV on vmware storage it fails with below error.
***************
I0411 19:39:55.969270   29228 rbac.go:116] RBAC DENY: user "system:serviceaccount:kube-system:vsphere-cloud-provider" groups ["system:serviceaccounts" "system:serviceaccounts:kube-system" "system:authenticated"] cannot "list" resource "nodes" cluster-wide
E0411 19:39:55.971008   29345 reflector.go:205] github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/cloudprovider/providers/vsphere/vsphere.go:227: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list nodes at the cluster scope: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list all nodes in the cluster
***************

Version-Release number of selected component (if applicable):
3.9

How reproducible:
Always

Steps to Reproduce:
1. Configure OCP to access VMWare vSphere [1]
2. Try to create pv using vsphere storage [2]

[1] https://docs.openshift.com/container-platform/3.9/install_config/configuring_vsphere.html
[2] https://docs.openshift.com/container-platform/3.9/install_config/persistent_storage/persistent_storage_vsphere.html#install-config-persistent-storage-persistent-storage-vsphere

Actual results:
PV creation fails with following error.
***************
I0411 19:39:55.969270   29228 rbac.go:116] RBAC DENY: user "system:serviceaccount:kube-system:vsphere-cloud-provider" groups ["system:serviceaccounts" "system:serviceaccounts:kube-system" "system:authenticated"] cannot "list" resource "nodes" cluster-wide
E0411 19:39:55.971008   29345 reflector.go:205] github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/cloudprovider/providers/vsphere/vsphere.go:227: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list nodes at the cluster scope: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list all nodes in the cluster
***************

The error occur because the required clusterrole for user vsphere-cloud-provider is missing in file /usr/share/ansible/openshift-ansible/roles/openshift_cloud_provider/files/vsphere-svc.yml.

Expected results:
vsphere-cloud-provider should be created with clusterrole and PV creation should be successful.

Master Log:
***************
I0411 19:39:55.969270   29228 rbac.go:116] RBAC DENY: user "system:serviceaccount:kube-system:vsphere-cloud-provider" groups ["system:serviceaccounts" "system:serviceaccounts:kube-system" "system:authenticated"] cannot "list" resource "nodes" cluster-wide
E0411 19:39:55.971008   29345 reflector.go:205] github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/cloudprovider/providers/vsphere/vsphere.go:227: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list nodes at the cluster scope: User "system:serviceaccount:kube-system:vsphere-cloud-provider" cannot list all nodes in the cluster
***************

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
File /usr/share/ansible/openshift-ansible/roles/openshift_cloud_provider/files/vsphere-svc.yml do not have "kind: ClusterRole" entry after 'roleRef' in ClusterRoleBinding section.

As temporary workaround, adding "kind: ClusterRole" entry after 'roleRef' in ClusterRoleBinding section helps to create PV.
Example entries after changes.
**************************************
apiVersion: v1
groupNames: null
kind: ClusterRoleBinding
metadata:
  annotations:
    openshift.io/reconcile-protect: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:vsphere-cloud-provider
roleRef:
  kind: ClusterRole                               <------ Added entry
  name: system:vsphere-cloud-provider
subjects:
- kind: ServiceAccount
  name: vsphere-cloud-provider
  namespace: kube-system
userNames:
- system:serviceaccount:kube-system:vsphere-cloud-provider
*************************************

Comment 3 Hemant Kumar 2018-05-04 17:25:02 UTC
https://github.com/openshift/ose/pull/1246

Comment 6 Jianwei Hou 2018-05-31 07:33:25 UTC
Verified on v3.9.30.

vSphere VMDK could successfully provision without the need of sa/clusterrole/glusterrolebinding.

Comment 8 errata-xmlrpc 2018-06-06 15:46:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1796


Note You need to log in before you can comment on or make changes to this bug.