1917256 – User "system:serviceaccount:openshift-image-registry:pruner" cannot list resource "statefulsets"

Bug 1917256 - User "system:serviceaccount:openshift-image-registry:pruner" cannot list resource "statefulsets"

Summary: User "system:serviceaccount:openshift-image-registry:pruner" cannot list reso...

Keywords:
Status:	CLOSED DUPLICATE of bug 1915902
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Oleg Bulatov
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-18 08:15 UTC by Robert Bohne
Modified:	2021-01-18 13:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-18 09:12:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Bohne 2021-01-18 08:15:17 UTC

Description of problem:

After a fresh installation of 4.7.0-fc.2 the image pruner pods fails with:

Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:openshift-image-registry:pruner" cannot list resource "statefulsets" in API group "apps" at the cluster scope

Image registry stucks in degraded.

$ oc get co/image-registry
NAME             VERSION      AVAILABLE   PROGRESSING   DEGRADED   SINCE
image-registry   4.7.0-fc.2   True        False         True       15h

Version-Release number of selected component (if applicable):  4.7.0-fc.2 


How reproducible:

Install openshift 4.7.0-fc.2

Actual results:

degraded co/image-registry

Expected results:

not degraded co/image-registry

Additional info:

```
$ oc get co/image-registry -oyaml
apiVersion: config.openshift.io/v1
kind: ClusterOperator
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
  creationTimestamp: "2021-01-17T15:45:06Z"
  generation: 1
  managedFields:
  - apiVersion: config.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:include.release.openshift.io/ibm-cloud-managed: {}
          f:include.release.openshift.io/self-managed-high-availability: {}
          f:include.release.openshift.io/single-node-developer: {}
      f:spec: {}
      f:status:
        .: {}
        f:extension: {}
    manager: cluster-version-operator
    operation: Update
    time: "2021-01-17T15:45:06Z"
  - apiVersion: config.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:conditions: {}
        f:relatedObjects: {}
        f:versions: {}
    manager: cluster-image-registry-operator
    operation: Update
    time: "2021-01-17T15:54:09Z"
  name: image-registry
  resourceVersion: "170129"
  selfLink: /apis/config.openshift.io/v1/clusteroperators/image-registry
  uid: 199ddd45-a4fd-4eb6-8a37-d5746a9a71fd
spec: {}
status:
  conditions:
  - lastTransitionTime: "2021-01-17T16:19:46Z"
    message: |-
      Available: The registry is ready
      ImagePrunerAvailable: Pruner CronJob has been created
    reason: Ready
    status: "True"
    type: Available
  - lastTransitionTime: "2021-01-17T16:19:46Z"
    message: 'Progressing: The registry is ready'
    reason: Ready
    status: "False"
    type: Progressing
  - lastTransitionTime: "2021-01-18T00:00:08Z"
    message: 'ImagePrunerDegraded: Job has reached the specified backoff limit'
    reason: ImagePrunerJobFailed
    status: "True"
    type: Degraded
  extension: null
  relatedObjects:
  - group: imageregistry.operator.openshift.io
    name: cluster
    resource: configs
  - group: imageregistry.operator.openshift.io
    name: cluster
    resource: imagepruners
  - group: rbac.authorization.k8s.io
    name: system:registry
    resource: clusterroles
  - group: rbac.authorization.k8s.io
    name: registry-registry-role
    resource: clusterrolebindings
  - group: rbac.authorization.k8s.io
    name: openshift-image-registry-pruner
    resource: clusterrolebindings
  - group: ""
    name: openshift-image-registry
    resource: namespaces
  versions:
  - name: operator
    version: 4.7.0-fc.2
```

Comment 1 Robert Bohne 2021-01-18 09:12:55 UTC

Fixed in 4.7.0-fc.3

Comment 2 Oleg Bulatov 2021-01-18 13:16:34 UTC


*** This bug has been marked as a duplicate of bug 1915902 ***

Note You need to log in before you can comment on or make changes to this bug.