Description of problem: Mock CSI tests fail on IBM ROKS clusters because of worker kubelet argument: --enable-controller-attach-detach=false Without this flag, it is expected that the attach/detach controller will handle volume attachment for a node. But with the flag, it is expected that the node itself have permission to create volume attachments. This permission is not part of the normal system:worker role. How reproducible: Always Steps to Reproduce: 1. Run openshift e2e on IBM ROKS cluster Actual results: Mock CSI volume tests fail. Expected results: Mock CSI volume tests succeed. Additional info: Current workaround is to add a clusterrolebinding with the system:attachdetach-controller role to the system:nodes group.
This CRB is currently causing failures when testing Openshift IPI deployments on IBM Cloud Jan 26 19:03:35.981: INFO: ns/openshift-console route/console disruption/ingress-to-console connection/new started responding to GET requests over new connections [BeforeEach] [Top Level] /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/framework.go:1489 [BeforeEach] [Top Level] /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/framework.go:1489 [BeforeEach] [Top Level] /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/test.go:61 [BeforeEach] [sig-instrumentation] Prometheus /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:140 STEP: Creating a kubernetes client [AfterEach] [sig-instrumentation] Prometheus /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:138 [AfterEach] [sig-instrumentation] Prometheus /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:139 fail [github.com/openshift/origin/test/extended/util/ibmcloud/provider.go:54]: Unexpected error: <*errors.StatusError | 0xc00014eb40>: { ErrStatus: { TypeMeta: {Kind: "", APIVersion: ""}, ListMeta: { SelfLink: "", ResourceVersion: "", Continue: "", RemainingItemCount: nil, }, Status: "Failure", Message: "clusterrolebindings.rbac.authorization.k8s.io \"e2e-node-attacher\" already exists", Reason: "AlreadyExists", Details: { Name: "e2e-node-attacher", Group: "rbac.authorization.k8s.io", Kind: "clusterrolebindings", UID: "", Causes: nil, RetryAfterSeconds: 0, }, Code: 409, }, } clusterrolebindings.rbac.authorization.k8s.io "e2e-node-attacher" already exists occurred failed: (1.2s) 2022-01-26T19:03:36 "[sig-instrumentation] Prometheus when installed on the cluster shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured [Early] [Skipped:Disconnected] [Suite:openshift/conformance/parallel]" We should remove this CRB creation for IBM Cloud in favor of the IBM Cloud managed offering (ROKS) finding a proper solution that does not break unmanaged Openshift on IBM Cloud (such as IPI deployment).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056