Copied from https://issues.jboss.org/browse/OSSM-100 If openshift-logging is running on the OCP4.1, Jager which is configured by "template: production-elasticsearch" would replace namespace "openshift-logging" with "istio-system" in elasticsearch-proxy ClusterRoleBinding subjects section. {code:yaml} apiVersion: maistra.io/v1 kind: ServiceMeshControlPlane spec: istio: tracing: jaeger: template: production-elasticsearch elasticsearch: nodeCount: 3 redundancyPolicy: resources: requests: memory: "16Gi" cpu: "1" limits: memory: "16Gi" {code} Before installing Service Mesh, {code:yaml} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2019-10-07T05:49:31Z" name: elasticsearch-proxy ownerReferences: - apiVersion: logging.openshift.io/v1 controller: true kind: Elasticsearch name: elasticsearch ... roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: elasticsearch-proxy subjects: - kind: ServiceAccount name: elasticsearch namespace: openshift-logging {code} After Installing Jager with elasticsearch {code:yaml} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2019-10-07T05:49:31Z" name: elasticsearch-proxy ownerReferences: - apiVersion: logging.openshift.io/v1 controller: true kind: Elasticsearch name: elasticsearch ... roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: elasticsearch-proxy subjects: - kind: ServiceAccount name: elasticsearch namespace: istio-system {code} This issue is a root cause of following elasticsearch error in openshift-logging. {code:shell} 2019/10/04 12:35:22 oauthproxy.go:782: 10.0.1.11:36836 tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-logging:elasticsearch" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope {code}
jaeger-operator report the following error. I deployed jaeger-operator from Webconsole. The jaeger-operator is deployed in openshift-operators namespaces. Is this a jaeger-operator bug in 4.3? Version: jaeger-operator: docker.io/jaegertracing/jaeger-operator:1.14.0 OCP: v4.3 E1112 06:14:26.125554 1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope E1112 06:14:27.127883 1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope E1112 06:14:28.130654 1 reflector.go:125] pkg/mod/k8s.io/client-go.0-20190507014756-65905f29c17c/tools/cache/reflector.go:93: Failed to list *v1alpha1.Jaeger: jaegers.io.jaegertracing is forbidden: User "system:serviceaccount:openshift-operators:jaeger-operator" cannot list resource "jaegers" in API group "io.jaegertracing" at the cluster scope
Anping, it seems like an issue. However you chose the upstream operator. Could you please choose the productized version and test with it?
Anping? Were you able to use productized version instead of upstream? We are fixing the upstream bug in a separate ticket. This issue should not blog on that and instead use productized version which works.
Verified and pass. independent Account are created for jaeger applications. [anli@preserve-docker-slave 43]$ oc get ClusterRoleBinding elasticsearch-proxy -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: <---skip ---> name: elasticsearch-proxy subjects: - kind: ServiceAccount name: elasticsearch namespace: openshift-logging - kind: ServiceAccount name: elasticsearch namespace: jaeger
The result looks good
The results look good
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062