Bug 1813829 - Error flodded from scheduler pod: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"
Summary: Error flodded from scheduler pod: User "system:kube-scheduler" cannot list re...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-scheduler
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.4.0
Assignee: Maciej Szulik
QA Contact: RamaKasturi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-16 09:00 UTC by RamaKasturi
Modified: 2020-05-04 11:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:46:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:46:54 UTC

Description RamaKasturi 2020-03-16 09:00:55 UTC
Description of problem:
I see that kube-scheduler pods logs show the following error message "E0316 05:43:04.072809       1 reflector.go:153] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Version-Release number of selected component (if applicable):
[ramakasturinarra@dhcp35-60 ~]$ oc get clusterversion
NAME      VERSION      AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-rc.0   True        False         3d16h   Cluster version is 4.4.0-rc.0

How reproducible:
Always

Steps to Reproduce:
1) Install 4.4.0rc cluster
2) Run the command oc logs -f <kube_scheduler_pod_name> -n openshift-kube-scheduler

Actual Results:
==================
Below error message is continously seen in the logs ""E0316 05:43:04.072809       1 reflector.go:153] k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go:209: Failed to list *v1.ConfigMap: configmaps "extension-apiserver-authentication" is forbidden: User "system:kube-scheduler" cannot list resource "configmaps" in API group "" in the namespace "kube-system"

Expected Results:
======================
No error messages should be seen

Comment 1 Maciej Szulik 2020-03-16 09:48:41 UTC
This is weird, we fixed this problem in https://bugzilla.redhat.com/show_bug.cgi?id=1778072, specifically this PR https://github.com/kubernetes/kubernetes/pull/85375

Comment 3 Maciej Szulik 2020-03-16 13:56:07 UTC
I just installed 4.4.0-rc.0 and the role looks correct, iow.:

$ oc get role/extension-apiserver-authentication-reader -n kube-system -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2020-03-16T13:23:42Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: extension-apiserver-authentication-reader
  namespace: kube-system
  resourceVersion: "152"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/extension-apiserver-authentication-reader
  uid: 394cc63e-c539-434b-9681-532f1c12bf8e
rules:
- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch


has the necessary list & watch that were missing in Rama's installation. I'm moving this back to qa to verify this against either a fresh install or against rc-1.

Comment 8 errata-xmlrpc 2020-05-04 11:46:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.