Description of problem: While running e2e CI tests, SSP operator failed on the following error: {"level":"info","ts":1585653625.6926363,"logger":"metrics","msg":"Metrics Service object updated","Service.Name":"kubevirt-ssp-operator-metrics","Service.Namespace":"kubevirt-hyperconverged"} {"level":"info","ts":1585653628.3454573,"logger":"cmd","msg":"Could not create ServiceMonitor object","Namespace":"","error":"servicemonitors.monitoring.coreos.com is forbidden: User \"system:serviceaccount:kubevirt-hyperconverged:kubevirt-ssp-operator\" cannot create resource \"servicemonitors\" in API group \"monitoring.coreos.com\" in the namespace \"kubevirt-hyperconverged\""} Version-Release number of selected component (if applicable): quay.io/fromani/kubevirt-ssp-operator-container:v1.0.28 How reproducible: Nondeterministic Actual results: https://storage.googleapis.com/origin-ci-test/pr-logs/pull/kubevirt_hyperconverged-cluster-operator/516/pull-ci-kubevirt-hyperconverged-cluster-operator-master-hco-e2e-upgrade-aws/720/artifacts/hco-e2e-upgrade-aws/pods/kubevirt-hyperconverged_kubevirt-ssp-operator-5d9fbdfb94-lc5lr_kubevirt-ssp-operator.log Expected results: ssp-operator should create its required objects and report ready. Additional info: Its seems like a permission for servicemonitors is missing on the ssp-operator service account in the CSV. Refer to: https://github.com/MarSik/kubevirt-ssp-operator/blob/master/manifests/generated/kubevirt-ssp-operator.vVERSION.clusterserviceversion.yaml#L83 which is missing "servicemonitors" under resources of apiGroup "monitoring.coreos.com"
Simply adding a create rule for servicemonitors.monitoring.coreos.com is not enough, then SSP operator will fail creating it with: {"level":"info","ts":1585732384.3286846,"logger":"cmd","msg":"Could not create ServiceMonitor object","Namespace":"","error":"servicemonitors.monitoring.coreos.com \"kubevirt-ssp-operator-metrics\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>"}
After that change it fails with a similar issue on services/finalizers and then list on clusterroles.
fixed by: https://github.com/MarSik/kubevirt-ssp-operator/pull/161
@Karel, can you please set the fixed in version, so we will know which version contains the fix?
Verified no ServiceMonitor errors in ssp operator log. Version: kubevirt-ssp-operator-container-v2.4.0-46
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3194