Bug 1790481 - kube-scheduler can't list ConfigMaps in kube-system namespace
Summary: kube-scheduler can't list ConfigMaps in kube-system namespace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-scheduler
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.3.z
Assignee: Tomáš Nožička
QA Contact: RamaKasturi
URL:
Whiteboard:
: 1802470 (view as bug list)
Depends On: 1778072
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-13 13:16 UTC by Tomáš Nožička
Modified: 2020-02-13 14:08 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-12 09:42:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 24392 0 None closed [release-4.3] Bug 1790481: Fix delegated auth CM perms 2021-02-04 17:59:32 UTC
Red Hat Product Errata RHBA-2020:0391 0 None None None 2020-02-12 09:42:53 UTC

Description Tomáš Nožička 2020-01-13 13:16:55 UTC
Clayton found that

https://storage.googleapis.com/origin-ci-test/logs/release-openshift-ocp-installer-e2e-aws-fips-4.3/1283/artifacts/e2e-aws-fips/pods/openshift-kube-scheduler_openshift-kube-scheduler-ip-10-0-135-48.ec2.internal_scheduler.log 

shows

E0111 08:21:19.761804       1 reflector.go:123] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

This seems to be coming from https://github.com/openshift/kubernetes/commit/fe37aa8d169e6e90025084bed311e3b8b1632b7d

It doesn't manifest on master (4.4.0-0.ci-2020-01-12-114023) and there are no changes to kube-scheduler-operator Role/RoleBinding manifest in between.

Comment 1 Tomáš Nožička 2020-01-13 18:00:57 UTC
needs https://github.com/kubernetes/kubernetes/pull/85375 backported, will do it tomorrow

Comment 11 errata-xmlrpc 2020-02-12 09:42:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0391

Comment 12 Maciej Szulik 2020-02-13 14:08:33 UTC
*** Bug 1802470 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.