Bug 1879159 - cluster-machine-approver is communicating with Kube API via localhost
Summary: cluster-machine-approver is communicating with Kube API via localhost
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Alberto
QA Contact: sunzhaohua
Depends On:
Blocks: 1863011 1887354
TreeView+ depends on / blocked
Reported: 2020-09-15 14:43 UTC by Lukasz Szaszkiewicz
Modified: 2020-10-27 16:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 16:41:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-machine-approver pull 85 0 None closed Bug 1879159: stop communicating with Kube API via localhost 2021-02-05 21:43:07 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:41:40 UTC

Description Lukasz Szaszkiewicz 2020-09-15 14:43:59 UTC
Communicating with Kube API via localhost is discouraged because the caller doesn't know when the server is ready to serve the request. Reaching over the Kubernetes build-in service is preferred as it only contains the servers that are healthy and ready.

The following query shows that the operator frequently fails with errors like ` connect: connection refused` or `Failed to list *v1beta1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-machine-approver:machine-approver-sa" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope`

[1] https://search.ci.openshift.org/?search=Failed+to+list+.*+is+forbidden%3A+.*+in+API+group&maxAge=48h&context=1&type=junit&name=&maxMatches=5&maxBytes=20971520&groupBy=job

I have opened https://github.com/openshift/cluster-machine-approver/pull/85 to address this issue.

Comment 1 Yu Qi Zhang 2020-09-15 15:16:30 UTC
The cluster-machine-approver is not part of the MCO, looking at the repo I think it might belong to machine-api? Moving over.

Comment 6 errata-xmlrpc 2020-10-27 16:41:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.