1812676 – [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabouts.cni.cncf.io

Bug 1812676 - [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabouts.cni.cncf.io

Summary: [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabou...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.3.z
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.3.z
Assignee:	Douglas Smith
QA Contact:	Weibin Liang
Docs Contact:
URL:
Whiteboard:	SDN-CI-IMPACT,SDN-BP,SDN-STALE
Depends On:	1812678
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-11 20:18 UTC by Douglas Smith
Modified:	2020-05-20 17:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1812678 (view as bug list)
Environment:
Last Closed:	2020-05-20 17:02:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Douglas Smith 2020-03-11 20:18:41 UTC

Description of problem: The RBAC for the ippools.whereabouts.cni.cncf.io for whereabouts IPAM CNI is incorrect.


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce: Use whereabouts IPAM CNI

Actual results:

```
  Warning  FailedCreatePodSandBox  6s         kubelet, ip-10-0-136-158.us-west-2.compute.internal  Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_openshift-multus_37058433-2564-42f2-aa91-d1b11f4c8bb5_0(7f6354c73261945d7d3c29aad3dd48b94aec7248d92b4650ea8554cc14755153): Multus: [openshift-multus/samplepod]: error adding container to network "whereaboutsexample": delegateAdd: error invoking DelegateAdd - "macvlan": error in getting result from AddNetwork: Error assigning IP: ippools.whereabouts.cni.cncf.io is forbidden: User "system:serviceaccount:openshift-multus:multus" cannot list resource "ippools" in API group "whereabouts.cni.cncf.io" in the namespace "openshift-multus"

```


Expected results: No error.


Additional info: This is the offending line @ https://github.com/openshift/cluster-network-operator/pull/526/files#diff-44eeae854395120fe566c1e3ddd5429bR88

This was found while diagnosing https://bugzilla.redhat.com/show_bug.cgi?id=1812245 which is also related to the change of CRD namespace for Whereabouts IPAM CNI.

Comment 1 Douglas Smith 2020-03-11 20:32:43 UTC

You can work around this issue by updating the RBAC with:

oc apply -f https://gist.githubusercontent.com/dougbtv/333af8ab8aab49547a7d3f8bb5d95b47/raw/170b2accbc2d1d37fd56d858c7b4e3b61645846e/rbac.yml

Comment 2 Alexander Constantinescu 2020-05-07 14:55:09 UTC

Hi

Can this be closed? There's a work-around, there's also a depends-on which is on QE. 

-Alex

Comment 4 Douglas Smith 2020-05-20 17:02:08 UTC

After all, we determined that this won't be used in 4.3.z by customer zero. So we're closing.

Note You need to log in before you can comment on or make changes to this bug.