Bug 1795267 - The metering-operator does not have sufficient permissions to view the Openshift network config
Summary: The metering-operator does not have sufficient permissions to view the Opensh...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Metering Operator
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: tflannag
QA Contact: Peter Ruan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-27 15:18 UTC by tflannag
Modified: 2020-05-04 11:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:27:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-metering pull 1082 0 None closed Bug 1795267: Allow the metering-operator to get the network openshift config object. 2020-04-27 14:35:16 UTC
Github operator-framework operator-metering pull 1099 0 None closed Bug 1795267: Support updating existing clusterrole/clusterrolebindings when install Metering. 2020-04-27 14:35:17 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:27:38 UTC

Description tflannag 2020-01-27 15:18:38 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. `./bin/deploy-metering install`
2. Wait for the metering-operator to get to the configure_network.yml task file
3. View the metering-operator ansible container logs

Actual results:
The metering-operator pod fails with the following message:

TASK [meteringconfig : Check the IP version infrastructure provisioned] ********
task path: /opt/ansible/roles/meteringconfig/tasks/configure_networking.yml:4
Monday 27 January 2020  15:15:34 +0000 (0:00:00.071)       0:00:50.292 ******** 
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 114, in <module>\n    _ansiballz_main()\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 106, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 49, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 176, in <module>\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 172, in main\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 153, in execute_module\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/ansible_k8s_facts_payload.zip/ansible/module_utils/k8s/common.py\", line 206, in kubernetes_facts\n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 94, in get\n    return self.request('get', path, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 44, in inner\n    raise api_exception(e)\nopenshift.dynamic.exceptions.ForbiddenError: 403\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Audit-Id': '9fed5396-a510-4a42-aed5-08637a921aa9', 'Content-Length': '404', 'X-Content-Type-Options': 'nosniff', 'Cache-Control': 'no-cache, private', 'Date': 'Mon, 27 Jan 2020 15:15:34 GMT', 'Content-Type': 'application/json'})\nHTTP response body: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"networks.config.openshift.io \\\"cluster\\\" is forbidden: User \\\"system:serviceaccount:openshift-metering:metering-operator\\\" cannot get resource \\\"networks\\\" in API group \\\"config.openshift.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"An exception occurred during task execution. To see the full traceback, use -vvv. The error was:     raise ApiException(http_resp=r)
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 114, in <module>\n    _ansiballz_main()\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 106, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1580138134.2-78272622169375/AnsiballZ_k8s_facts.py\", line 49, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 176, in <module>\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 172, in main\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/__main__.py\", line 153, in execute_module\n  File \"/tmp/ansible_k8s_facts_payload__dtYb7/ansible_k8s_facts_payload.zip/ansible/module_utils/k8s/common.py\", line 206, in kubernetes_facts\n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 94, in get\n    return self.request('get', path, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 44, in inner\n    raise api_exception(e)\nopenshift.dynamic.exceptions.ForbiddenError: 403\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Audit-Id': '9fed5396-a510-4a42-aed5-08637a921aa9', 'Content-Length': '404', 'X-Content-Type-Options': 'nosniff', 'Cache-Control': 'no-cache, private', 'Date': 'Mon, 27 Jan 2020 15:15:34 GMT', 'Content-Type': 'application/json'})\nHTTP response body: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"networks.config.openshift.io \\\"cluster\\\" is forbidden: User \\\"system:serviceaccount:openshift-metering:metering-operator\\\" cannot get resource \\\"networks\\\" in API group \\\"config.openshift.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"cluster\",\"group\":\"config.openshift.io\",\"kind\":\"networks\"},\"code\":403}\n\nOriginal traceback: \n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 42, in inner\n    resp = func(self, *args, **kwargs)\n\n  File \"/usr/lib/python2.7/site-packages/openshift/dynamic/client.py\", line 245, in request\n    _return_http_data_only=params.get('_return_http_data_only', True)\n\n  File \"/usr/lib/python2.7/site-packages/kubernetes/client/api_client.py\", line 334, in call_api\n    _return_http_data_only, collection_formats, _preload_content, _request_timeout)\n\n  File \"/usr/lib/python2.7/site-packages/kubernetes/client/api_client.py\", line 168, in __call_api\n    _request_timeout=_request_timeout)\n\n  File \"/usr/lib/python2.7/site-packages/kubernetes/client/api_client.py\", line 355, in request\n    headers=headers)\n\n  File \"/usr/lib/python2.7/site-packages/kubernetes/client/rest.py\", line 231, in GET\n    query_params=query_params)\n\n  File \"/usr/lib/python2.7/site-packages/kubernetes/client/rest.py\", line 222, in request\n    raise ApiException(http_resp=r)\n\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}


Expected results:
The metering-operator successfully provisions metering-related resources

Additional info:

Comment 3 Peter Ruan 2020-03-13 00:14:18 UTC
verified by looking at the ansible pod output... no errors detected.

TASK [meteringconfig : Check the IP version infrastructure provisioned] ********
[1;30mtask path: /opt/ansible/roles/meteringconfig/tasks/configure_networking.yml:4[0m
Thursday 12 March 2020  22:48:18 +0000 (0:00:00.057)       0:00:07.885 ******** 
[0;32mok: [localhost] => {"changed": false, "resources": [{"apiVersion": "config.openshift.io/v1", "kind": "Network", "metadata": {"creationTimestamp": "2020-03-11T22:58:03Z", "generation": 2, "name": "cluster", "resourceVersion": "2327", "selfLink": "/apis/config.openshift.io/v1/networks/cluster", "uid": "cf42d03b-9a58-4ba7-b168-5d45cf326a3e"}, "spec": {"clusterNetwork": [{"cidr": "10.128.0.0/14", "hostPrefix": 23}], "externalIP": {"policy": {}}, "networkType": "OpenShiftSDN", "serviceNetwork": ["172.30.0.0/16"]}, "status": {"clusterNetwork": [{"cidr": "10.128.0.0/14", "hostPrefix": 23}], "clusterNetworkMTU": 8951, "networkType": "OpenShiftSDN", "serviceNetwork": ["172.30.0.0/16"]}}]}[0m

Comment 5 errata-xmlrpc 2020-05-04 11:27:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.