+++ This bug was initially created as a clone of Bug #1812677 +++ Description of problem: The controller is missing RBAC privileges when attempting to run PV discovery while installed in a 3.x cluster. On MigPlan: - category: Critical lastTransitionTime: "2020-03-11T17:24:51Z" message: 'Reconcile failed: [customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:openshift-migration:migration-controller" cannot list customresourcedefinitions.apiextensions.k8s.io at the cluster scope: no RBAC policy matched]. See controller logs for details.' status: "True" type: ReconcileFailed How reproducible: Every time Steps to Reproduce: 1. Install CAM operator on 3.x, but switch on controller and ui in the MigrationController so that it is acting as the control cluster. (Also make sure to set the API server value as explained in the comment: https://github.com/konveyor/mig-operator/blob/master/deploy/non-olm/v1.1.0/controller-3.yml#L14 2. Configure a 4.x cluster as a 2nd target cluster, configure a replication repo 3. Create a plan and select a namespace with a workload to migrate. 4. PV discovery times out, oc get migplan <name> will show the permission issue seen above. It's missing from the operator's mig_rbac template, so its never created. This is only seen when trying to use a 3.x cluster as a controller, because the permissions in the RBAC of a CSV installed via OLM have the correct permissions. The RBAC that has to be created outside of OLM is out of sync and missing these permissions. End result is that you cannot drive a migration from a 3.x cluster. --- Additional comment from Jason Montleon on 2020-03-11 20:20:54 UTC --- Should be able to fix this for 1.1.2 z-stream. It should be a quick fix, looks like some rbac changes were left off the ansible role for non-olm installs.
Turns out this issue does not impact release 1.1 of CAM. This is an issue only in latest code from master, we will keep the BZ open to verify it for CAM 1.2 and close this which was targeting a fix in a z-stream.