As part of rebase of CSI sidecars to 1.19 versions, external-attacher now needs permissions to PATCH volumeattachment/status. Steps to reproduce: 1. install the CSI driver 2. check external-attacher version 3. run a pod with a volume provided by the driver Actual results: 3. The pod is Pending, external-attacher logs: I0821 08:22:24.981208 1 csi_handler.go:218] Error processing "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e": failed to mark as attached: volumeattachments.storage.k8s.io "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e" is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope Expected result: 2. external-attacher is at v3.0.0 (https://github.com/openshift/csi-external-attacher/pull/22) 3. The pod runs Users / QA should not be able to even hit this, as we patch the RBAC rules before merging the attacher. In CI, it looked like this: This can be seen in CI, https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_csi-external-attacher/22/pull-ci-openshift-csi-external-attacher-master-e2e-aws-csi/1296500248352395264 (and thanks to CI to find this out)
This change[3] caused ovirt installation and CI to break[1] due to: " level=error msg="Cluster operator storage Degraded is True with OVirtCSIDriverOperatorCR_OvirtDriverStaticResources_SyncError: OVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: \"rbac/attacher_binding.yaml\" (string): clusterroles.rbac.authorization.k8s.io \"ovirt-external-attacher-role\" not found\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: \"rbac/attacher_role.yaml\" (string): clusterroles.rbac.authorization.k8s.io \"ovirt-external-attacher-role\" is forbidden: user \"system:serviceaccount:openshift-cluster-csi-drivers:ovirt-csi-driver-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-cluster-csi-drivers\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: {APIGroups:[\"storage.k8s.io\"], Resources:[\"volumeattachments/status\"], Verbs:[\"patch\"]}\nOVirtCSIDriverOperatorCRDegraded: OvirtDriverStaticResourcesDegraded: " " Moving to post so I can link PR[2] which complete the fix (didn't want to open a separate bug just to link the PR). [1] https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-ovirt-4.6/1297494770666442752 [2] https://github.com/openshift/ovirt-csi-driver-operator/pull/22 [3] https://github.com/openshift/ovirt-csi-driver-operator/pull/21
Verified with: 4.6.0-0.nightly-2020-08-26-010422
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196