Bug 1812676 - [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabouts.cni.cncf.io
Summary: [4.3.z] Incorrect RBAC for Whereabouts should be updated to ippools.whereabou...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.z
Hardware: All
OS: All
Target Milestone: ---
: 4.3.z
Assignee: Douglas Smith
QA Contact: Weibin Liang
Depends On: 1812678
TreeView+ depends on / blocked
Reported: 2020-03-11 20:18 UTC by Douglas Smith
Modified: 2020-05-20 17:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1812678 (view as bug list)
Last Closed: 2020-05-20 17:02:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Douglas Smith 2020-03-11 20:18:41 UTC
Description of problem: The RBAC for the ippools.whereabouts.cni.cncf.io for whereabouts IPAM CNI is incorrect.

Version-Release number of selected component (if applicable):

How reproducible: always

Steps to Reproduce: Use whereabouts IPAM CNI

Actual results:

  Warning  FailedCreatePodSandBox  6s         kubelet, ip-10-0-136-158.us-west-2.compute.internal  Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_openshift-multus_37058433-2564-42f2-aa91-d1b11f4c8bb5_0(7f6354c73261945d7d3c29aad3dd48b94aec7248d92b4650ea8554cc14755153): Multus: [openshift-multus/samplepod]: error adding container to network "whereaboutsexample": delegateAdd: error invoking DelegateAdd - "macvlan": error in getting result from AddNetwork: Error assigning IP: ippools.whereabouts.cni.cncf.io is forbidden: User "system:serviceaccount:openshift-multus:multus" cannot list resource "ippools" in API group "whereabouts.cni.cncf.io" in the namespace "openshift-multus"


Expected results: No error.

Additional info: This is the offending line @ https://github.com/openshift/cluster-network-operator/pull/526/files#diff-44eeae854395120fe566c1e3ddd5429bR88

This was found while diagnosing https://bugzilla.redhat.com/show_bug.cgi?id=1812245 which is also related to the change of CRD namespace for Whereabouts IPAM CNI.

Comment 1 Douglas Smith 2020-03-11 20:32:43 UTC
You can work around this issue by updating the RBAC with:

oc apply -f https://gist.githubusercontent.com/dougbtv/333af8ab8aab49547a7d3f8bb5d95b47/raw/170b2accbc2d1d37fd56d858c7b4e3b61645846e/rbac.yml

Comment 2 Alexander Constantinescu 2020-05-07 14:55:09 UTC

Can this be closed? There's a work-around, there's also a depends-on which is on QE. 


Comment 4 Douglas Smith 2020-05-20 17:02:08 UTC
After all, we determined that this won't be used in 4.3.z by customer zero. So we're closing.

Note You need to log in before you can comment on or make changes to this bug.