As part of rebase of CSI sidecars to 1.19 versions, external-attacher now needs permissions to PATCH volumeattachment/status. Steps to reproduce: 1. install the CSI driver 2. check external-attacher version 3. run a pod with a volume provided by the driver Actual results: 3. The pod is Pending, external-attacher logs: I0821 08:22:24.981208 1 csi_handler.go:218] Error processing "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e": failed to mark as attached: volumeattachments.storage.k8s.io "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e" is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope Expected result: 2. external-attacher is at v3.0.0 (https://github.com/openshift/csi-external-attacher/pull/22) 3. The pod runs Users / QA should not be able to even hit this, as we patch the RBAC rules before merging the attacher. In CI, it looked like this: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_csi-external-attacher/22/pull-ci-openshift-csi-external-attacher-master-e2e-aws-csi/1296500248352395264 (and thanks to CI to find this out)
*** Bug 1871820 has been marked as a duplicate of this bug. ***
Verified with: 4.6.0-0.nightly-2020-08-25-222652
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196