Bug 1883458 - Move range allocations to CRD's
Summary: Move range allocations to CRD's
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.0
Assignee: David Eads
QA Contact: RamaKasturi
URL:
Whiteboard:
: 1882101 (view as bug list)
Depends On: 1886022
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-29 09:28 UTC by RamaKasturi
Modified: 2023-09-14 06:08 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1886022 (view as bug list)
Environment:
Last Closed: 2020-10-27 16:45:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 751 0 None closed Bug 1883458: add CRD based internal rangeallocations for SCC uid allocation 2021-02-02 07:06:33 UTC
Github openshift client-go pull 162 0 None closed Bug 1883458: add internal range allocation 2021-02-02 07:06:33 UTC
Github openshift cluster-config-operator pull 157 0 None closed Bug 1883458: add rangeallocation CRD 2021-02-02 07:06:33 UTC
Github openshift cluster-kube-controller-manager-operator pull 459 0 None closed Bug 1883458: add permissions for internal rangeallocation 2021-02-02 07:06:33 UTC
Github openshift cluster-kube-controller-manager-operator pull 464 0 None closed [release-4.6] Bug 1883458: add new apigroup to rendered clusterrole copy 2021-02-02 07:06:33 UTC
Github openshift cluster-policy-controller pull 39 0 None closed Bug 1883458: switch to CRD for rangeallocation 2021-02-02 07:06:34 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:46:14 UTC

Description RamaKasturi 2020-09-29 09:28:32 UTC
Description of problem:
When verifying the bug https://bugzilla.redhat.com/show_bug.cgi?id=1861917 here found below errors in the cluster-policy-controller.log file and it looks like we might need to move range allocations to CRD's.

[core@ip-10-0-23-53 ~]$ cat  /var/log/bootstrap-control-plane/cluster-policy-controller.log | grep "E0"
E0923 10:53:48.265108       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ClusterResourceQuota: failed to list *v1.ClusterResourceQuota: the server could not find the requested resource (get clusterresourcequotas.quota.openshift.io)
E0923 10:53:48.283894       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:53:48.324639       1 namespace_scc_allocation_controller.go:258] rangeallocations.security.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.openshift.io" at the cluster scope
E0923 10:53:49.521481       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:53:49.768559       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ClusterResourceQuota: failed to list *v1.ClusterResourceQuota: the server could not find the requested resource (get clusterresourcequotas.quota.openshift.io)
E0923 10:53:51.524213       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:53:51.918415       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ClusterResourceQuota: failed to list *v1.ClusterResourceQuota: the server could not find the requested resource (get clusterresourcequotas.quota.openshift.io)
E0923 10:53:56.798612       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:53:58.372575       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:08.339319       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:09.311320       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:54:18.393299       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:28.345494       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:32.979585       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:54:38.381531       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:48.383548       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:54:58.411687       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:05.326135       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:55:08.335222       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:18.336587       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:28.335302       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:38.338179       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:48.084496       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:55:48.340012       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:55:58.334185       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:08.332142       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:18.336497       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:28.339688       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:38.341022       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:45.189966       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:56:48.338290       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:56:58.338209       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:08.337998       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:18.332250       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:20.983052       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:57:28.331742       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:38.334026       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:48.337327       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:57:58.337233       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:08.337462       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:18.337001       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:18.797095       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:58:28.337135       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:38.337125       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:48.336420       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:48.337833       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:51.013496       1 reconciliation_controller.go:123] initial monitor sync has error: [couldn't start monitor for resource "cloudcredential.openshift.io/v1, Resource=credentialsrequests": unable to monitor quota for resource "cloudcredential.openshift.io/v1, Resource=credentialsrequests", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=probes": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=probes", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=catalogsources": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=catalogsources", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machinehealthchecks": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machinehealthchecks", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=prometheuses": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=prometheuses", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=installplans": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=installplans", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=thanosrulers": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=thanosrulers", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=prometheusrules": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=prometheusrules", couldn't start monitor for resource "controlplane.operator.openshift.io/v1alpha1, Resource=podnetworkconnectivitychecks": unable to monitor quota for resource "controlplane.operator.openshift.io/v1alpha1, Resource=podnetworkconnectivitychecks", couldn't start monitor for resource "operator.openshift.io/v1, Resource=ingresscontrollers": unable to monitor quota for resource "operator.openshift.io/v1, Resource=ingresscontrollers", couldn't start monitor for resource "tuned.openshift.io/v1, Resource=profiles": unable to monitor quota for resource "tuned.openshift.io/v1, Resource=profiles", couldn't start monitor for resource "tuned.openshift.io/v1, Resource=tuneds": unable to monitor quota for resource "tuned.openshift.io/v1, Resource=tuneds", couldn't start monitor for resource "metal3.io/v1alpha1, Resource=baremetalhosts": unable to monitor quota for resource "metal3.io/v1alpha1, Resource=baremetalhosts", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=clusterserviceversions": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=clusterserviceversions", couldn't start monitor for resource "ingress.operator.openshift.io/v1, Resource=dnsrecords": unable to monitor quota for resource "ingress.operator.openshift.io/v1, Resource=dnsrecords", couldn't start monitor for resource "network.operator.openshift.io/v1, Resource=operatorpkis": unable to monitor quota for resource "network.operator.openshift.io/v1, Resource=operatorpkis", couldn't start monitor for resource "operators.coreos.com/v1, Resource=operatorgroups": unable to monitor quota for resource "operators.coreos.com/v1, Resource=operatorgroups", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machinesets": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machinesets", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=servicemonitors": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=servicemonitors", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=podmonitors": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=podmonitors", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=subscriptions": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=subscriptions", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machines": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machines", couldn't start monitor for resource "autoscaling.openshift.io/v1beta1, Resource=machineautoscalers": unable to monitor quota for resource "autoscaling.openshift.io/v1beta1, Resource=machineautoscalers", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=alertmanagers": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=alertmanagers"]
E0923 10:58:51.091479       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:58:51.127427       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:58:52.244447       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:58:54.142648       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:58:58.782263       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:59:01.143630       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:59:08.599019       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:59:11.143640       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:59:21.143714       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:59:30.200689       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 10:59:31.143713       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:59:41.142843       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 10:59:51.145148       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:01.143121       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:06.256922       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:00:11.139495       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:21.140082       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:31.142606       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:41.142816       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:00:51.150664       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:01.142623       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:05.627751       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:01:11.143396       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:21.142007       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:31.143061       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:35.948090       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:01:41.143566       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:01:51.135907       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:01.130057       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:11.172627       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:21.129892       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:21.754965       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:02:31.129750       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:41.131712       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:02:51.132510       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:01.129556       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:08.252595       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:03:11.284385       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:21.129059       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:31.129314       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:41.129340       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:45.966134       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:03:51.154600       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:03:51.162346       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:04:14.713086       1 reconciliation_controller.go:117] initial discovery check failure, continuing and counting on future sync update: unable to retrieve the complete list of server APIs: packages.operators.coreos.com/v1: the server is currently unable to handle the request
E0923 11:04:14.714426       1 reconciliation_controller.go:123] initial monitor sync has error: [couldn't start monitor for resource "metal3.io/v1alpha1, Resource=baremetalhosts": unable to monitor quota for resource "metal3.io/v1alpha1, Resource=baremetalhosts", couldn't start monitor for resource "whereabouts.cni.cncf.io/v1alpha1, Resource=ippools": unable to monitor quota for resource "whereabouts.cni.cncf.io/v1alpha1, Resource=ippools", couldn't start monitor for resource "autoscaling.openshift.io/v1beta1, Resource=machineautoscalers": unable to monitor quota for resource "autoscaling.openshift.io/v1beta1, Resource=machineautoscalers", couldn't start monitor for resource "tuned.openshift.io/v1, Resource=profiles": unable to monitor quota for resource "tuned.openshift.io/v1, Resource=profiles", couldn't start monitor for resource "whereabouts.cni.cncf.io/v1alpha1, Resource=overlappingrangeipreservations": unable to monitor quota for resource "whereabouts.cni.cncf.io/v1alpha1, Resource=overlappingrangeipreservations", couldn't start monitor for resource "operator.openshift.io/v1, Resource=ingresscontrollers": unable to monitor quota for resource "operator.openshift.io/v1, Resource=ingresscontrollers", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=catalogsources": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=catalogsources", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machines": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machines", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=probes": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=probes", couldn't start monitor for resource "operators.coreos.com/v1, Resource=operatorgroups": unable to monitor quota for resource "operators.coreos.com/v1, Resource=operatorgroups", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=clusterserviceversions": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=clusterserviceversions", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=thanosrulers": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=thanosrulers", couldn't start monitor for resource "cloudcredential.openshift.io/v1, Resource=credentialsrequests": unable to monitor quota for resource "cloudcredential.openshift.io/v1, Resource=credentialsrequests", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=prometheuses": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=prometheuses", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=installplans": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=installplans", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machinesets": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machinesets", couldn't start monitor for resource "network.operator.openshift.io/v1, Resource=operatorpkis": unable to monitor quota for resource "network.operator.openshift.io/v1, Resource=operatorpkis", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=alertmanagers": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=alertmanagers", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=prometheusrules": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=prometheusrules", couldn't start monitor for resource "operators.coreos.com/v1alpha1, Resource=subscriptions": unable to monitor quota for resource "operators.coreos.com/v1alpha1, Resource=subscriptions", couldn't start monitor for resource "tuned.openshift.io/v1, Resource=tuneds": unable to monitor quota for resource "tuned.openshift.io/v1, Resource=tuneds", couldn't start monitor for resource "ingress.operator.openshift.io/v1, Resource=dnsrecords": unable to monitor quota for resource "ingress.operator.openshift.io/v1, Resource=dnsrecords", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=podmonitors": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=podmonitors", couldn't start monitor for resource "network.openshift.io/v1, Resource=egressnetworkpolicies": unable to monitor quota for resource "network.openshift.io/v1, Resource=egressnetworkpolicies", couldn't start monitor for resource "machine.openshift.io/v1beta1, Resource=machinehealthchecks": unable to monitor quota for resource "machine.openshift.io/v1beta1, Resource=machinehealthchecks", couldn't start monitor for resource "k8s.cni.cncf.io/v1, Resource=network-attachment-definitions": unable to monitor quota for resource "k8s.cni.cncf.io/v1, Resource=network-attachment-definitions", couldn't start monitor for resource "monitoring.coreos.com/v1, Resource=servicemonitors": unable to monitor quota for resource "monitoring.coreos.com/v1, Resource=servicemonitors", couldn't start monitor for resource "snapshot.storage.k8s.io/v1beta1, Resource=volumesnapshots": unable to monitor quota for resource "snapshot.storage.k8s.io/v1beta1, Resource=volumesnapshots", couldn't start monitor for resource "controlplane.operator.openshift.io/v1alpha1, Resource=podnetworkconnectivitychecks": unable to monitor quota for resource "controlplane.operator.openshift.io/v1alpha1, Resource=podnetworkconnectivitychecks"]
E0923 11:04:14.758640       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:14.918018       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:04:16.016649       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:18.200277       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:22.072482       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:24.920078       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:04:31.132968       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:34.920350       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:04:44.942640       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:04:54.398385       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:04:54.920130       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:05:04.931593       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:05:14.919904       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:05:24.921281       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:05:30.603284       1 reflector.go:127] k8s.io/client-go.0-rc.2/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E0923 11:05:34.919877       1 namespace_scc_allocation_controller.go:258] the server could not find the requested resource (post rangeallocations.security.openshift.io)
E0923 11:06:14.947616       1 namespace_scc_allocation_controller.go:258] the server is currently unable to handle the request (get rangeallocations.security.openshift.io scc-uid)

[core@ip-10-0-23-53 ~]$ cat  /var/log/bootstrap-control-plane/cluster-policy-controller.log | grep "F0"
F0923 10:58:48.337850       1 namespace_scc_allocation_controller.go:116] timed out waiting for the condition
F0923 11:03:51.162459       1 namespace_scc_allocation_controller.go:116] timed out waiting for the condition
goroutine 163 [running]:
k8s.io/klog/v2.stacks(0xc0005a5501, 0xc0005a6ff0, 0x6e, 0xe9)
        k8s.io/klog/v2.0/klog.go:996 +0xb8
k8s.io/klog/v2.(*loggingT).output(0x360a420, 0xc000000003, 0x0, 0x0, 0xc00086ad90, 0x353bd15, 0x26, 0x74, 0x2464900)
        k8s.io/klog/v2.0/klog.go:945 +0x19d
k8s.io/klog/v2.(*loggingT).printDepth(0x360a420, 0xc000000003, 0x0, 0x0, 0x1, 0xc000a41f38, 0x1, 0x1)
        k8s.io/klog/v2.0/klog.go:718 +0x15e
k8s.io/klog/v2.(*loggingT).print(...)
        k8s.io/klog/v2.0/klog.go:703
k8s.io/klog/v2.Fatal(...)
        k8s.io/klog/v2.0/klog.go:1443
github.com/openshift/cluster-policy-controller/pkg/security/controller.(*NamespaceSCCAllocationController).Run(0xc000c60000, 0xc0000b9bc0)
        github.com/openshift/cluster-policy-controller/pkg/security/controller/namespace_scc_allocation_controller.go:116 +0x21b
created by github.com/openshift/cluster-policy-controller/pkg/cmd/controller.RunNamespaceSecurityAllocationController
        github.com/openshift/cluster-policy-controller/pkg/cmd/controller/security.go:46 +0x5b4

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install latest 4.6 cluster
2. check cluster-policy-controller.logs on the bootstrap node
3.

Actual results:
you could see that cluster-policy-controller comes up fine, but above errors in the description will be seen.

Expected results:
CPC should start fine and should not see any errors

Additional info:

Comment 1 David Eads 2020-09-30 14:49:08 UTC
*** Bug 1882101 has been marked as a duplicate of this bug. ***

Comment 3 RamaKasturi 2020-10-06 06:43:20 UTC
Tried verifying the bug with the latest payload and i see that  new resource which is "rangeallocations.security.internal.openshift.io" is getting updated instead of old one "rangeallocations.security.openshift.io" but still below errors in the cluster-policy-controller log file. Is that expected ?

E1006 05:18:55.581007       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:18:55.603974       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
W1006 05:18:55.604537       1 warnings.go:67] extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
E1006 05:18:56.629012       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:18:59.284960       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:19:04.471800       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:19:05.586309       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:19:15.608814       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:19:15.811716       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:19:25.604746       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:19:35.588644       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:19:35.839566       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:19:45.623711       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:19:55.604708       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:05.585542       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:08.914551       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:20:15.585260       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:25.585476       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:35.584909       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:45.271719       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)
E1006 05:20:45.585275       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:20:55.584885       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope
E1006 05:21:05.583511       1 namespace_scc_allocation_controller.go:259] rangeallocations.security.internal.openshift.io "scc-uid" is forbidden: User "system:serviceaccount:openshift-infra:namespace-security-allocation-controller" cannot get resource "rangeallocations" in API group "security.internal.openshift.io" at the cluster scope

Also i do see that oc api-resources lists the new one.

[knarra@knarra Openshift]$ oc api-resources | grep security.internal
rangeallocations                                       security.internal.openshift.io        false        RangeAllocation

payload where the bug was verified :
=====================================
[knarra@knarra Openshift]$ oc version
Client Version: 4.6.0-202009302026.p0-eadaf89
Server Version: 4.6.0-0.nightly-2020-10-03-051134
Kubernetes Version: v1.19.0+db1fc96

Comment 6 RamaKasturi 2020-10-12 06:34:03 UTC
Tried verifying bug with the payload below and i do not see any errors in the cluster-policy-controller.log related to rangeallocations.security.internal.openshift.io. However i am still seeing the error as below, will move the bug to verified state once check with dev.

[knarra@knarra Openshift]$ oc get clusterversion
NAME      VERSION      AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-rc.2   True        False         44m     Cluster version is 4.6.0-rc.2
[knarra@knarra Openshift]$ oc version
Client Version: 4.6.0-202010081244.p0-074039a
Server Version: 4.6.0-rc.2
Kubernetes Version: v1.19.0+d59ce34

[knarra@knarra Openshift]$ oc api-resources | grep security.internal
rangeallocations                                       security.internal.openshift.io        false        RangeAllocation

E1012 05:16:40.472868       1 reflector.go:127] k8s.io/client-go.0/tools/cache/reflector.go:156: Failed to watch *v1.ImageStream: failed to list *v1.ImageStream: the server could not find the requested resource (get imagestreams.image.openshift.io)

Comment 7 RamaKasturi 2020-10-12 10:40:03 UTC
Above error pasted in comment 6 is  seen during bootstrap in the cluster-policy-controller.log file and it might be because kube-apiserver is temporarily unavailable.

Based on comment 6 moving the bug to verified state as once the cluster is up and running i do not see the above logs present in cluster-poliy-controller log file any more.

Comment 9 errata-xmlrpc 2020-10-27 16:45:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Comment 10 Red Hat Bugzilla 2023-09-14 06:08:54 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.