Hide Forgot
Description of problem: descheduler-operator can not generate cronjob. Version-Release number of selected component (if applicable): oc v4.0.0-0.82.0 kubernetes v1.11.0+6855010f70 features: Basic-Auth GSSAPI Kerberos SPNEGO openshift v4.0.0-0.81.0 kubernetes v1.11.0+ba8f89f8f9 How reproducible: always Steps to Reproduce: 1.download code from github : https://github.com/openshift/descheduler-operator 2.deploy descheduler-operator, step as follows: #oc create -f deploy/namespace.yaml #oc project openshift-descheduler-operator #oc create -f deploy/crds/descheduler_v1alpha1_descheduler_crd.yaml #oc create -f deploy/service_account.yaml #oc create -f deploy/rbac.yaml #oc create -f deploy/operator.yaml #oc create -f deploy/crds/descheduler_v1alpha1_descheduler_cr.yaml 3.check descheduler-operator pod log #oc logs descheduler-operator-965cb8f7f-hfjq8 Actual results: 3.log show generate cronjob succ. Expected results: 3.log show generate cronjob fail. logs as follows: E1206 07:42:21.976849 1 reflector.go:205] github.com/openshift/descheduler-operator/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:196: Failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:openshift-descheduler-operator:openshift-descheduler" cannot list cronjobs.batch in the namespace "openshift-descheduler-operator": no RBAC policy matched Additional info: The rbac seems correct. check descheduler-operator pod's service account:openshift-descheduler # oc get pod descheduler-operator-965cb8f7f-hfjq8 -o yaml | grep serviceAccount - mountPath: /var/run/secrets/kubernetes.io/serviceaccount serviceAccount: openshift-descheduler serviceAccountName: openshift-descheduler #cat descheduler-operator/deploy/rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: descheduler-role-binding subjects: - kind: ServiceAccount name: openshift-descheduler namespace: openshift-descheduler-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: descheduler-operator # oc describe clusterrole.rbac descheduler-operator Name: descheduler-operator Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [*] names [] [] [*] nodes [] [] [*] pods/eviction [] [] [*] pods [] [] [*] secrets [] [] [*] services [] [] [*] deployments.apps [] [] [*] jobs.batch [] [] [*] *.descheduler.io [] [] [*] jobs.extensions [] [] [*]
Forgot to push commit related to rbac changes yesterday: https://github.com/openshift/descheduler-operator/pull/29
Verified! Version-Release number of selected component oc v4.0.0-0.99.0 kubernetes v1.11.0+031e5ec2a7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ip-172-18-12-194.ec2.internal:8443 openshift v4.0.0-0.98.0 kubernetes v1.11.0+1b4c25efef
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758