*** Bug 1785448 has been marked as a duplicate of this bug. ***
How to fix https://bugzilla.redhat.com/show_bug.cgi?id=1785448#c2
PR to fix: https://github.com/openshift/cluster-autoscaler-operator/pull/149
I can't reproduce the issue on my fresh 4.2 cluster, but the fix is created upon a working suggestion from the related issue https://bugzilla.redhat.com/show_bug.cgi?id=1785448. Setting it to POST.
Thanks Danil! "Version" says 4.4. Did you manage to reproduce the issue on 4.4 or 4.5?
I first tried that on my stable 4.4, same effect. "oc adm policy add-cluster-role-to-user cluster-reader eparis --as system:admin" never generated that error message in my experience.
Actually, testing the fix now I managed to reproduce the issue, and the PR successfully fixes it for me. It didn't appear on "oc adm" call, but on listing "machineautoscalers.autoscaling.openshift.io" without permissions: $ oc get machineautoscalers --all-namespaces Error from server (Forbidden): machineautoscalers.autoscaling.openshift.io is forbidden: User "eparis" cannot list resource "machineautoscalers" in API group "autoscaling.openshift.io" at the cluster scope with applying the fix from install dir: $ oc get machineautoscalers.autoscaling.openshift.io --all-namespaces No resources found $ oc whoami eparis
Failed QA clusterversion: 4.5.0-0.nightly-2020-05-07-144853 It didn't appear on "clusterautoscaler" and "machineautoscaler" but on listing "machine" "machineset" "machinehealthcheck" without permissions: $ oc get clusterautoscaler --all-namespaces No resources found $ oc get machineautoscalers.autoscaling.openshift.io --all-namespaces No resources found $ oc get machinehealthcheck --all-namespaces Error from server (Forbidden): machinehealthchecks.machine.openshift.io is forbidden: User "testuser-48" cannot list resource "machinehealthchecks" in API group "machine.openshift.io" at the cluster scope $ oc get machineset --all-namespaces Error from server (Forbidden): machinesets.machine.openshift.io is forbidden: User "testuser-48" cannot list resource "machinesets" in API group "machine.openshift.io" at the cluster scope $ oc get machine --all-namespaces Error from server (Forbidden): machines.machine.openshift.io is forbidden: User "testuser-48" cannot list resource "machines" in API group "machine.openshift.io" at the cluster scope
Failed QA clusterversion: 4.5.0-0.nightly-2020-05-17-220731 Listing "machine" "machineset" "machinehealthcheck" without permissions $ oc adm policy add-cluster-role-to-user cluster-reader testuser-49 --as system:admin Warning: User 'testuser-49' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-49" $ oc login -u testuser-49 Authentication required for https://api.zhsunaws518.qe.devcluster.openshift.com:6443 (openshift) Username: testuser-49 Password: Login successful. You have access to 57 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "openshift-machine-api". $ oc get clusterautoscaler --all-namespaces No resources found $ oc get machineautoscalers.autoscaling.openshift.io --all-namespaces No resources found $ oc get machinehealthcheck --all-namespaces Error from server (Forbidden): machinehealthchecks.machine.openshift.io is forbidden: User "testuser-49" cannot list resource "machinehealthchecks" in API group "machine.openshift.io" at the cluster scope $ oc get machineset --all-namespaces Error from server (Forbidden): machinesets.machine.openshift.io is forbidden: User "testuser-49" cannot list resource "machinesets" in API group "machine.openshift.io" at the cluster scope $ oc get machine --all-namespaces Error from server (Forbidden): machines.machine.openshift.io is forbidden: User "testuser-49" cannot list resource "machines" in API group "machine.openshift.io" at the cluster scope $ oc whoami testuser-49 $ oc get ClusterRole | grep reader cluster-autoscaler-operator:cluster-reader 2020-05-18T01:08:31Z cluster-reader 2020-05-18T01:02:54Z cluster-samples-operator-proxy-reader 2020-05-18T01:04:39Z console-extensions-reader 2020-05-18T01:03:14Z operatorhub-config-reader 2020-05-18T00:54:31Z system:aggregated-metrics-reader 2020-05-18T01:04:21Z system:node-reader 2020-05-18T00:53:56Z system:openshift:aggregate-to-cluster-reader 2020-05-18T01:02:54Z system:openshift:cloud-credential-operator:cluster-reader 2020-05-18T00:54:25Z system:openshift:cluster-config-operator:cluster-reader 2020-05-18T00:54:56Z system:openshift:cluster-samples-operator:cluster-reader 2020-05-18T01:04:39Z system:openshift:machine-config-operator:cluster-reader 2020-05-18T00:54:25Z system:sdn-reader 2020-05-18T01:02:54Z
Added missing vendor update.
Verified on baremetal $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-05-21-232124 True False 110m Cluster version is 4.5.0-0.nightly-2020-05-21-232124 $ oc adm policy add-cluster-role-to-user cluster-reader testuser-49 --as system:admin Warning: User 'testuser-49' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-49" $ oc login -u testuser-49 Authentication required for https://api.xxia0522cicop3.qe.devcluster.openshift.com:6443 (openshift) Username: testuser-49 Password: Login successful. You have access to 58 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "openshift". [sunny@localhost code]$ oc get clusterautoscaler --all-namespaces No resources found [sunny@localhost code]$ oc get machineautoscalers.autoscaling.openshift.io --all-namespaces No resources found [sunny@localhost code]$ oc get machinehealthcheck --all-namespaces No resources found [sunny@localhost code]$ oc get machineset --all-namespaces No resources found [sunny@localhost code]$ oc get machine --all-namespaces No resources found [sunny@localhost code]$ oc whoami testuser-49
Verified on aws $ oc adm policy add-cluster-role-to-user cluster-reader testuser-49 --as system:admin Warning: User 'testuser-49' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-49" [sunny@localhost ~]$ oc login -u testuser-49 Authentication required for https://api.yangyang1837642yangyangyangyang.qe.gcp.devcluster.openshift.com:6443 (openshift) Username: testuser-49 Password: Login successful. You have access to 57 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". [sunny@localhost ~]$ oc get clusterautoscaler --all-namespaces No resources found [sunny@localhost ~]$ oc get machineautoscalers.autoscaling.openshift.io --all-namespaces No resources found [sunny@localhost ~]$ oc get machinehealthcheck --all-namespaces No resources found [sunny@localhost ~]$ oc get machineset --all-namespaces NAMESPACE NAME DESIRED CURRENT READY AVAILABLE AGE openshift-machine-api yangya-bk2dh-w-a 1 1 1 1 129m openshift-machine-api yangya-bk2dh-w-b 1 1 1 1 129m openshift-machine-api yangya-bk2dh-w-c 1 1 1 1 129m openshift-machine-api yangya-bk2dh-w-f 0 0 129m [sunny@localhost ~]$ oc get machine --all-namespaces NAMESPACE NAME PHASE TYPE REGION ZONE AGE openshift-machine-api yangya-bk2dh-m-0 Running n1-standard-4 us-central1 us-central1-a 130m openshift-machine-api yangya-bk2dh-m-1 Running n1-standard-4 us-central1 us-central1-b 130m openshift-machine-api yangya-bk2dh-m-2 Running n1-standard-4 us-central1 us-central1-c 130m openshift-machine-api yangya-bk2dh-w-a-bkkjb Running n1-standard-4 us-central1 us-central1-a 117m openshift-machine-api yangya-bk2dh-w-b-sbvcm Running n1-standard-4 us-central1 us-central1-b 117m openshift-machine-api yangya-bk2dh-w-c-28kfd Running n1-standard-4 us-central1 us-central1-c 117m [sunny@localhost ~]$ oc whoami testuser-49 [sunny@localhost ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-05-22-062554 True False 101m Cluster version is 4.5.0-0.nightly-2020-05-22-062554
Verified on azure $ oc adm policy add-cluster-role-to-user cluster-reader testuser-49 --as system:admin Warning: User 'testuser-49' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-49" [sunny@bogon ~]$ oc login -u testuser-49 Authentication required for https://api.qe-yapei45az.qe.azure.devcluster.openshift.com:6443 (openshift) Username: testuser-49 Password: Login successful. You have access to 58 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". [sunny@bogon ~]$ oc get clusterautoscaler --all-namespaces No resources found [sunny@bogon ~]$ [sunny@bogon ~]$ oc get machineautoscaler --all-namespaces No resources found [sunny@bogon ~]$ oc get machinehealthcheck --all-namespaces No resources found [sunny@bogon ~]$ oc get machineset --all-namespaces NAMESPACE NAME DESIRED CURRENT READY AVAILABLE AGE openshift-machine-api qe-yapei45az-5zw6l-worker-westus 3 3 3 3 13h [sunny@bogon ~]$ oc get machine --all-namespaces NAMESPACE NAME PHASE TYPE REGION ZONE AGE openshift-machine-api qe-yapei45az-5zw6l-master-0 Running Standard_D8s_v3 westus 13h openshift-machine-api qe-yapei45az-5zw6l-master-1 Running Standard_D8s_v3 westus 13h openshift-machine-api qe-yapei45az-5zw6l-master-2 Running Standard_D8s_v3 westus 13h openshift-machine-api qe-yapei45az-5zw6l-worker-westus-85rvf Running Standard_D2s_v3 westus 12h openshift-machine-api qe-yapei45az-5zw6l-worker-westus-9sck6 Running Standard_D2s_v3 westus 12h openshift-machine-api qe-yapei45az-5zw6l-worker-westus-psdw4 Running Standard_D2s_v3 westus 12h [sunny@bogon ~]$ oc whoami testuser-49 [sunny@bogon ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-05-25-052746 True False 12h Cluster version is 4.5.0-0.nightly-2020-05-25-052746
verified on gcp $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-05-24-223848 True False 21h Cluster version is 4.5.0-0.nightly-2020-05-24-223848 [sunny@bogon ~]$ oc adm policy add-cluster-role-to-user cluster-reader testuser-49 --as system:admin Warning: User 'testuser-49' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-49" [sunny@bogon ~]$ oc login -u testuser-49 Authentication required for https://api.geliu4525.qe.gcp.devcluster.openshift.com:6443 (openshift) Username: testuser-49 Password: Login successful. You have access to 57 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". [sunny@bogon ~]$ oc get clusterautoscaler --all-namespaces No resources found [sunny@bogon ~]$ oc get machineautoscaler --all-namespaces No resources found [sunny@bogon ~]$ oc get machinehealthcheck --all-namespaces No resources found [sunny@bogon ~]$ oc get machineset --all-namespaces NAMESPACE NAME DESIRED CURRENT READY AVAILABLE AGE openshift-machine-api geliu4525-npchv-worker-a 1 1 1 1 21h openshift-machine-api geliu4525-npchv-worker-b 1 1 1 1 21h openshift-machine-api geliu4525-npchv-worker-c 1 1 1 1 21h openshift-machine-api geliu4525-npchv-worker-f 0 0 21h [sunny@bogon ~]$ oc get machine --all-namespaces NAMESPACE NAME PHASE TYPE REGION ZONE AGE openshift-machine-api geliu4525-npchv-master-0 Running n1-standard-4 us-central1 us-central1-a 21h openshift-machine-api geliu4525-npchv-master-1 Running n1-standard-4 us-central1 us-central1-b 21h openshift-machine-api geliu4525-npchv-master-2 Running n1-standard-4 us-central1 us-central1-c 21h openshift-machine-api geliu4525-npchv-worker-a-t5k6l Running n1-standard-4 us-central1 us-central1-a 21h openshift-machine-api geliu4525-npchv-worker-b-cbdvn Running n1-standard-4 us-central1 us-central1-b 21h openshift-machine-api geliu4525-npchv-worker-c-jzstv Running n1-standard-4 us-central1 us-central1-c 21h [sunny@bogon ~]$ oc whoami testuser-49
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409