Description of problem: # oc -n openshift-monitoring logs prometheus-adapter-587687f4c-g4dt7 I0515 03:53:37.363903 1 adapter.go:94] successfully using in-cluster auth I0515 03:53:38.139376 1 dynamic_cafile_content.go:166] Starting request-header::/etc/tls/private/requestheader-client-ca-file I0515 03:53:38.139414 1 dynamic_cafile_content.go:166] Starting client-ca-bundle::/etc/tls/private/client-ca-file I0515 03:53:38.139626 1 dynamic_serving_content.go:129] Starting serving-cert::/etc/tls/private/tls.crt::/etc/tls/private/tls.key I0515 03:53:38.140412 1 secure_serving.go:178] Serving securely on [::]:6443 I0515 03:53:38.140485 1 tlsconfig.go:219] Starting DynamicServingCertificateController E0515 03:54:31.943916 1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope E0515 03:54:31.944026 1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope E0515 04:02:40.311308 1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope E0515 04:02:40.311412 1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope E0515 04:20:42.250215 1 reflector.go:307] k8s.io/client-go/informers/factory.go:135: Failed to watch *v1.Node: unknown (get nodes) E0515 04:20:43.251510 1 reflector.go:153] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot list resource "nodes" in API group "" at the cluster scope # token=`oc sa get-token prometheus-adapter -n openshift-monitoring` # oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://prometheus-k8s.openshift-monitoring.svc:9091/api/v1/query?query=kube_node_info' | jq | head { "status": "success", "data": { "resultType": "vector", "result": [ { "metric": { "__name__": "kube_node_info", "container_runtime_version": "cri-o://1.18.0-17.dev.rhaos4.5.gitdea34b9.el8", "endpoint": "https-main", # oc api-resources | grep subjectaccessreviews subjectaccessreviews authorization.k8s.io false SubjectAccessReview subjectaccessreviews authorization.openshift.io false SubjectAccessReview Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-05-14-190315 How reproducible: recently Steps to Reproduce: 1. See the description 2. 3. Actual results: Expected results: Additional info: