1812713 – RBAC permissions missing for controller when installed in an openshift 3.x environment

Bug 1812713 - RBAC permissions missing for controller when installed in an openshift 3.x environment

Summary: RBAC permissions missing for controller when installed in an openshift 3.x en...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Migration Tooling
Sub Component:
Version:	4.3.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.3.z
Assignee:	Jason Montleon
QA Contact:	Xin jiang
Docs Contact:
URL:
Whiteboard:
Depends On:	1812677
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-11 22:56 UTC by John Matthews
Modified:	2020-03-12 15:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1812677
Environment:
Last Closed:	2020-03-12 15:08:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description John Matthews 2020-03-11 22:56:01 UTC

+++ This bug was initially created as a clone of Bug #1812677 +++

Description of problem:
The controller is missing RBAC privileges when attempting to run PV discovery while installed in a 3.x cluster.

On MigPlan:

    - category: Critical                                                                                                       
      lastTransitionTime: "2020-03-11T17:24:51Z"                                                                               
      message: 'Reconcile failed: [customresourcedefinitions.apiextensions.k8s.io                                              
        is forbidden: User "system:serviceaccount:openshift-migration:migration-controller"                                    
        cannot list customresourcedefinitions.apiextensions.k8s.io at the cluster                                              
        scope: no RBAC policy matched]. See controller logs for details.'                                                      
      status: "True"                                                                                                           
      type: ReconcileFailed   

How reproducible:
Every time

Steps to Reproduce:
1. Install CAM operator on 3.x, but switch on controller and ui in the MigrationController so that it is acting as the control cluster. (Also make sure to set the API server value as explained in the comment: https://github.com/konveyor/mig-operator/blob/master/deploy/non-olm/v1.1.0/controller-3.yml#L14
2. Configure a 4.x cluster as a 2nd target cluster, configure a replication repo
3. Create a plan and select a namespace with a workload to migrate.
4. PV discovery times out, oc get migplan <name> will show the permission issue seen above. It's missing from the operator's mig_rbac template, so its never created.

This is only seen when trying to use a 3.x cluster as a controller, because the permissions in the RBAC of a CSV installed via OLM have the correct permissions. The RBAC that has to be created outside of OLM is out of sync and missing these permissions.

End result is that you cannot drive a migration from a 3.x cluster.

--- Additional comment from Jason Montleon on 2020-03-11 20:20:54 UTC ---

Should be able to fix this for 1.1.2 z-stream. It should be a quick fix, looks like some rbac changes were left off the ansible role for non-olm installs.

Comment 1 John Matthews 2020-03-12 15:08:29 UTC

Turns out this issue does not impact release 1.1 of CAM.
This is an issue only in latest code from master, we will keep the BZ open to verify it for CAM 1.2 and close this which was targeting a fix in a z-stream.

Note You need to log in before you can comment on or make changes to this bug.