Communicating with Kube API via localhost is discouraged because the caller doesn't know when the server is ready to serve the request. Reaching over the Kubernetes build-in service is preferred as it only contains the servers that are healthy and ready. The following query shows that the operator frequently fails with errors like `127.0.0.1:6443: connect: connection refused` or `Failed to list *v1beta1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-machine-approver:machine-approver-sa" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope` [1] https://search.ci.openshift.org/?search=Failed+to+list+.*+is+forbidden%3A+.*+in+API+group&maxAge=48h&context=1&type=junit&name=&maxMatches=5&maxBytes=20971520&groupBy=job I have opened https://github.com/openshift/cluster-machine-approver/pull/85 to address this issue.
The cluster-machine-approver is not part of the MCO, looking at the repo I think it might belong to machine-api? Moving over.
Move to verified, didn't meet this in 4.6 version https://search.ci.openshift.org/?search=Failed+to+list+.*+is+forbidden%3A+.*+in+API+group&maxAge=48h&context=1&type=junit&name=4.6&maxMatches=5&maxBytes=20971520&groupBy=job
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196