Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1812676

Summary: [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabouts.cni.cncf.io
Product: OpenShift Container Platform Reporter: Douglas Smith <dosmith>
Component: NetworkingAssignee: Douglas Smith <dosmith>
Networking sub component: multus QA Contact: Weibin Liang <weliang>
Status: CLOSED WONTFIX Docs Contact:
Severity: high    
Priority: high CC: aconstan, bbennett, zzhao
Version: 4.3.z   
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: All   
OS: All   
Whiteboard: SDN-CI-IMPACT,SDN-BP,SDN-STALE
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1812678 (view as bug list) Environment:
Last Closed: 2020-05-20 17:02:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1812678    
Bug Blocks:    

Description Douglas Smith 2020-03-11 20:18:41 UTC 
Description of problem: The RBAC for the ippools.whereabouts.cni.cncf.io for whereabouts IPAM CNI is incorrect.


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce: Use whereabouts IPAM CNI

Actual results:

```
  Warning  FailedCreatePodSandBox  6s         kubelet, ip-10-0-136-158.us-west-2.compute.internal  Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_openshift-multus_37058433-2564-42f2-aa91-d1b11f4c8bb5_0(7f6354c73261945d7d3c29aad3dd48b94aec7248d92b4650ea8554cc14755153): Multus: [openshift-multus/samplepod]: error adding container to network "whereaboutsexample": delegateAdd: error invoking DelegateAdd - "macvlan": error in getting result from AddNetwork: Error assigning IP: ippools.whereabouts.cni.cncf.io is forbidden: User "system:serviceaccount:openshift-multus:multus" cannot list resource "ippools" in API group "whereabouts.cni.cncf.io" in the namespace "openshift-multus"

```


Expected results: No error.


Additional info: This is the offending line @ https://github.com/openshift/cluster-network-operator/pull/526/files#diff-44eeae854395120fe566c1e3ddd5429bR88

This was found while diagnosing https://bugzilla.redhat.com/show_bug.cgi?id=1812245 which is also related to the change of CRD namespace for Whereabouts IPAM CNI.
Comment 1 Douglas Smith 2020-03-11 20:32:43 UTC 
You can work around this issue by updating the RBAC with:

oc apply -f https://gist.githubusercontent.com/dougbtv/333af8ab8aab49547a7d3f8bb5d95b47/raw/170b2accbc2d1d37fd56d858c7b4e3b61645846e/rbac.yml
Comment 2 Alexander Constantinescu 2020-05-07 14:55:09 UTC 
Hi

Can this be closed? There's a work-around, there's also a depends-on which is on QE. 

-Alex
Comment 4 Douglas Smith 2020-05-20 17:02:08 UTC 
After all, we determined that this won't be used in 4.3.z by customer zero. So we're closing.