1778072 – Error flooded from scheduler pod: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Bug 1778072 - Error flooded from scheduler pod: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Summary: Error flooded from scheduler pod: Failed to list *v1.ConfigMap: configmaps "e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-scheduler
Sub Component:
Version:	4.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.4.0
Assignee:	Maciej Szulik
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1769931 (view as bug list)
Depends On:
Blocks:	1790481
TreeView+	depends on / blocked

Reported:	2019-11-29 08:33 UTC by zhou ying
Modified:	2020-05-04 11:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-04 11:17:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:0581	0	None	None	None	2020-05-04 11:18:13 UTC

Description zhou ying 2019-11-29 08:33:22 UTC

Description of problem:
Too many error from scheduler pod :Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"


Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-11-28-004553


How reproducible:
Always

Steps to Reproduce:
1. Check logs from openshift-kube-scheduler pod.
`oc logs -f po/openshift-kube-scheduler-ip-10-0-55-254.ap-northeast-1.compute.internal`

Actual results:
1. Too many errors from the pod:
E1129 08:09:42.181496       1 reflector.go:123] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"
E1129 08:09:42.411249       1 reflector.go:123] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Expected results:
No such error.

Additional info:

Comment 2 Maciej Szulik 2019-12-11 13:25:59 UTC

*** Bug 1769931 has been marked as a duplicate of this bug. ***

Comment 3 Tomáš Nožička 2020-01-14 09:01:25 UTC

It got fixed on 4.4 with the rebase. QA pls verify this so we can ship a backport in https://bugzilla.redhat.com/show_bug.cgi?id=1790481

Comment 4 zhou ying 2020-01-15 09:39:26 UTC

Confirmed with the payload: 4.4.0-0.nightly-2020-01-14-135405, can't reproduce the issue now:

[root@dhcp-140-138 ~]# oc get clusterversion 
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-0.nightly-2020-01-14-135405   True        False         67m     Cluster version is 4.4.0-0.nightly-2020-01-14-135405

Comment 6 errata-xmlrpc 2020-05-04 11:17:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581

Note You need to log in before you can comment on or make changes to this bug.