Bug 1871051 - AWS EBS CSI driver needs permission to patch volumeattachment/status
Summary: AWS EBS CSI driver needs permission to patch volumeattachment/status
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Jan Safranek
QA Contact: Qin Ping
URL:
Whiteboard:
: 1871820 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-21 08:40 UTC by Jan Safranek
Modified: 2020-08-26 03:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift aws-ebs-csi-driver-operator pull 79 None closed Bug 1871051: Add external-attacher permissions to patch status 2020-08-26 02:44:44 UTC
Github openshift cluster-storage-operator pull 78 None closed Bug 1871051: Add CSI operators permissions to patch volumeattachment/status 2020-08-26 02:44:44 UTC

Description Jan Safranek 2020-08-21 08:40:35 UTC
As part of rebase of CSI sidecars to 1.19 versions, external-attacher now needs permissions to PATCH volumeattachment/status.

Steps to reproduce:

1. install the CSI driver
2. check external-attacher version
3. run a pod with a volume provided by the driver

Actual results:

3. The pod is Pending, external-attacher logs:

I0821 08:22:24.981208       1 csi_handler.go:218] Error processing "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e": failed to mark as attached: volumeattachments.storage.k8s.io "csi-32f278e4d2a003e5255bac9d84303473a9e9e20175dd8fa695f1b659dc01315e" is forbidden: User "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa" cannot patch resource "volumeattachments/status" in API group "storage.k8s.io" at the cluster scope

Expected result:

2. external-attacher is at v3.0.0 (https://github.com/openshift/csi-external-attacher/pull/22)

3. The pod runs


Users / QA should not be able to even hit this, as we patch the RBAC rules before merging the attacher. In CI, it looked like this:

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_csi-external-attacher/22/pull-ci-openshift-csi-external-attacher-master-e2e-aws-csi/1296500248352395264

(and thanks to CI to find this out)

Comment 1 Jan Zmeskal 2020-08-24 14:14:40 UTC
*** Bug 1871820 has been marked as a duplicate of this bug. ***

Comment 4 Qin Ping 2020-08-26 03:07:21 UTC
Verified with: 4.6.0-0.nightly-2020-08-25-222652


Note You need to log in before you can comment on or make changes to this bug.