+++ This bug was initially created as a clone of Bug #1812678 +++ +++ This bug was initially created as a clone of Bug #1812676 +++ Description of problem: The RBAC for the ippools.whereabouts.cni.cncf.io for whereabouts IPAM CNI is incorrect. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: Use whereabouts IPAM CNI Actual results: ``` Warning FailedCreatePodSandBox 6s kubelet, ip-10-0-136-158.us-west-2.compute.internal Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_samplepod_openshift-multus_37058433-2564-42f2-aa91-d1b11f4c8bb5_0(7f6354c73261945d7d3c29aad3dd48b94aec7248d92b4650ea8554cc14755153): Multus: [openshift-multus/samplepod]: error adding container to network "whereaboutsexample": delegateAdd: error invoking DelegateAdd - "macvlan": error in getting result from AddNetwork: Error assigning IP: ippools.whereabouts.cni.cncf.io is forbidden: User "system:serviceaccount:openshift-multus:multus" cannot list resource "ippools" in API group "whereabouts.cni.cncf.io" in the namespace "openshift-multus" ``` Expected results: No error. Additional info: This is the offending line @ https://github.com/openshift/cluster-network-operator/pull/526/files#diff-44eeae854395120fe566c1e3ddd5429bR88 This was found while diagnosing https://bugzilla.redhat.com/show_bug.cgi?id=1812245 which is also related to the change of CRD namespace for Whereabouts IPAM CNI.
Modified in 4.5 @ https://github.com/openshift/cluster-network-operator/pull/527
Tested and verified in 4.5.0-0.nightly-2020-03-30-182417: [weliang@weliang FILE]$ oc rsh pod-macvlan-bridge-whereabouts1 / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 3: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 8951 qdisc noqueue state UP link/ether 0a:58:0a:81:02:0e brd ff:ff:ff:ff:ff:ff inet 10.129.2.14/23 brd 10.129.3.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::fc61:4eff:fe57:1a0a/64 scope link valid_lft forever preferred_lft forever 4: net1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 9001 qdisc noqueue state UP link/ether e6:ae:c7:68:84:a6 brd ff:ff:ff:ff:ff:ff inet 192.168.2.226/28 brd 192.168.2.239 scope global net1 valid_lft forever preferred_lft forever inet6 fe80::e4ae:c7ff:fe68:84a6/64 scope link valid_lft forever preferred_lft forever
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409