Bug 1869035
| Summary: | Update vcenter user permissions required for Openshift | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | aghadge | ||||||
| Component: | Documentation | Assignee: | Bob Furu <bfuru> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | jima | ||||||
| Severity: | high | Docs Contact: | Vikram Goyal <vigoyal> | ||||||
| Priority: | high | ||||||||
| Version: | 4.4 | CC: | adeshpan, aelganzo, andcosta, aos-bugs, bfuru, bjarolim, chuffman, dgautam, dkochuka, dkulkarn, hekumar, jcallen, jima, jokerman, jsafrane, oarribas, openshift-bugs-escalate, osousa, pdhange, pescorza, prdeshpa, zisis.lianas | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 4.7.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-06-15 16:33:01 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Hi Hemant, did you have any chance to look into this? What are the next steps? Best, Brenda Florence Jarolimkova, RHCSA Critical Situation Manager, Customer Experience & Engagement Red Hat Czech, s.r.o. Purkyňova 99, 612 00 Brno Czech republic bjarolim M: +420702240675 Created attachment 1728519 [details] Add permissions to create and delete tasks Moving this to docs team. In addition to permissions documented - https://bugzilla.redhat.com/show_bug.cgi?id=1879959 , we need to update vCenter permissions to include permissions to create and delete tasks. We should backport the permission docs change to 4.4, 4.5 and 4.6 Created attachment 1728791 [details]
Additional vcenter overall status permission
In addition to aforementioned tasks privileges, we should explicitly call out that - vcenter user configured in Openshift must have permissions to view vcenter itself.
Or to put it other way, when admin logs into vcenter using user/password configured in OCP(that is used for connecting to vcenter), admin should be able to view vcenter's overall status as shown in screenshot.
*** Bug 1814304 has been marked as a duplicate of this bug. *** The table for the in-tree documentation I think would be a good place to start. We need to define what vcenter _entity_ the user (and role needs). That is currently not in our docs. https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/vcp-roles.html Created https://github.com/openshift/openshift-docs/pull/27328 to include Tasks privileges in the "vSphere Install - vCenter Requirements" doc. Based on the vCenter GUI screenshot in this BZ, I didn’t see an option for “Delete task” so I included “All privileges”. (Other options are “Create task” and”Update task”.) Waiting for SME and QE review. Moving to ON_QA. Hello all, Adding the ReadOnly permission on the vCenter server level for the used user solved this issue. Thank you, Oscar, for bringing this to my attention! It does look as though the PR and BZ you mention takes care of this BZ's request to update vCenter permissions. Closing this BZ as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1950638. *** This bug has been marked as a duplicate of bug 1950638 *** |
Description of problem: - PVC created with vsphere thin storage class can not be bounded and stays in "pending" state for long. - Sometime it gets in to the bound state after considerable long time e.g. 6-7 hours. - But at the same time if we forcefully redeploy the "kube-controller-manager" with below command then the PVC immediately gets in to the Bound State. $ oc patch kubecontrollermanager/cluster --type merge -p "{\"spec\":{\"forceRedeploymentReason\":\"Forcing new revision with random number $RANDOM to make message unique\"}}" - The issue has been identified in two different customer environments(cases are attached to the BUG). - There is one similarity in both the environment that is, both customers have OCS deployed along with the OCP. Version-Release number of selected component (if applicable): Red Hat OpenShift Container Platform 4.4 Red Hat OpenShift Container Platform 4.5 How reproducible: - Always in both the customer environments. Steps to Reproduce: 1. Provision a PVC with "thin" storage class. 2. It will stuck in to the "pending" state. 3. Redeploy the "kube-controller-manager" with below command and the PVC will get in to the Bound state immediately. $ oc patch kubecontrollermanager/cluster --type merge -p "{\"spec\":{\"forceRedeploymentReason\":\"Forcing new revision with random number $RANDOM to make message unique\"}}" Actual results: - PVC with thin storage class gets stuck in to "pending" state until we forcefully redeploy "kube-controller-manager". Expected results: - PVC with thin storage class should get in to "Bound" state immediately on its own and there should not be any need of redeployment of "kube-controller-manager" to achieve it. Additional info: - Kube-controller-manager logs from both customer environment uploaded on the case.