Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1871050

Summary: ovirt CSI driver needs permission to patch volumeattachment/status
Product: OpenShift Container Platform Reporter: Jan Safranek <jsafrane>
Component: StorageAssignee: Jan Safranek <jsafrane>
Storage sub component: Operators QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: aos-bugs, gzaidman
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:30:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Safranek 2020-08-21 08:39:54 UTC 
As part of rebase of CSI sidecars to 1.19 versions, external-attacher now needs permissions to PATCH volumeattachment/status.

Steps to reproduce:

1. install the CSI driver
2. check external-attacher version
3. run a pod with a volume provided by the driver

Actual results:

3. The pod is Pending, external-attacher logs:

I0821 08:22:24.981208       1 csi_handler.go:218] Error processing "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e": failed to mark as attached: volumeattachments.storage.k8s.io "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e" is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope

Expected result:

2. external-attacher is at v3.0.0 (https://github.com/openshift/csi-external-attacher/pull/22)

3. The pod runs


Users / QA should not be able to even hit this, as we patch the RBAC rules before merging the attacher. In CI, it looked like this:

This can be seen in CI, https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_csi-external-attacher/22/pull-ci-openshift-csi-external-attacher-master-e2e-aws-csi/1296500248352395264

(and thanks to CI to find this out)
Comment 3 Gal Zaidman 2020-08-23 14:06:31 UTC 
This change[3] caused ovirt installation and CI to break[1] due to:
"
level=error msg="Cluster operator storage Degraded is True with OVirtCSIDriverOperatorCR_OvirtDriverStaticResources_SyncError: OVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: \"rbac/attacher_binding.yaml\" (string): clusterroles.rbac.authorization.k8s.io \"ovirt-external-attacher-role\" not found\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: \"rbac/attacher_role.yaml\" (string): clusterroles.rbac.authorization.k8s.io \"ovirt-external-attacher-role\" is forbidden: user \"system:serviceaccount:openshift-cluster-csi-drivers:ovirt-csi-driver-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-cluster-csi-drivers\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: {APIGroups:[\"storage.k8s.io\"], Resources:[\"volumeattachments/status\"], Verbs:[\"patch\"]}\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: "
"

Moving to post so I can link PR[2] which complete the fix (didn't want to open a separate bug just to link the PR).

[1] https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-ovirt-4.6/1297494770666442752
[2] https://github.com/openshift/ovirt-csi-driver-operator/pull/22
[3] https://github.com/openshift/ovirt-csi-driver-operator/pull/21
Comment 5 Qin Ping 2020-08-26 03:12:38 UTC 
Verified with: 4.6.0-0.nightly-2020-08-26-010422
Comment 7 errata-xmlrpc 2020-10-27 16:30:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196