Clayton found that
E0111 08:21:19.761804 1 reflector.go:123] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"
This seems to be coming from https://github.com/openshift/kubernetes/commit/fe37aa8d169e6e90025084bed311e3b8b1632b7d
It doesn't manifest on master (4.4.0-0.ci-2020-01-12-114023) and there are no changes to kube-scheduler-operator Role/RoleBinding manifest in between.
needs https://github.com/kubernetes/kubernetes/pull/85375 backported, will do it tomorrow
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
*** Bug 1802470 has been marked as a duplicate of this bug. ***