Bug 1917256
| Summary: | User "system:serviceaccount:openshift-image-registry:pruner" cannot list resource "statefulsets" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Robert Bohne <rbohne> |
| Component: | Image Registry | Assignee: | Oleg Bulatov <obulatov> |
| Status: | CLOSED DUPLICATE | QA Contact: | Wenjing Zheng <wzheng> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.7 | CC: | aos-bugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-18 09:12:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in 4.7.0-fc.3 *** This bug has been marked as a duplicate of bug 1915902 *** |
Description of problem: After a fresh installation of 4.7.0-fc.2 the image pruner pods fails with: Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:openshift-image-registry:pruner" cannot list resource "statefulsets" in API group "apps" at the cluster scope Image registry stucks in degraded. $ oc get co/image-registry NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE image-registry 4.7.0-fc.2 True False True 15h Version-Release number of selected component (if applicable): 4.7.0-fc.2 How reproducible: Install openshift 4.7.0-fc.2 Actual results: degraded co/image-registry Expected results: not degraded co/image-registry Additional info: ``` $ oc get co/image-registry -oyaml apiVersion: config.openshift.io/v1 kind: ClusterOperator metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" creationTimestamp: "2021-01-17T15:45:06Z" generation: 1 managedFields: - apiVersion: config.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:include.release.openshift.io/ibm-cloud-managed: {} f:include.release.openshift.io/self-managed-high-availability: {} f:include.release.openshift.io/single-node-developer: {} f:spec: {} f:status: .: {} f:extension: {} manager: cluster-version-operator operation: Update time: "2021-01-17T15:45:06Z" - apiVersion: config.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: {} f:relatedObjects: {} f:versions: {} manager: cluster-image-registry-operator operation: Update time: "2021-01-17T15:54:09Z" name: image-registry resourceVersion: "170129" selfLink: /apis/config.openshift.io/v1/clusteroperators/image-registry uid: 199ddd45-a4fd-4eb6-8a37-d5746a9a71fd spec: {} status: conditions: - lastTransitionTime: "2021-01-17T16:19:46Z" message: |- Available: The registry is ready ImagePrunerAvailable: Pruner CronJob has been created reason: Ready status: "True" type: Available - lastTransitionTime: "2021-01-17T16:19:46Z" message: 'Progressing: The registry is ready' reason: Ready status: "False" type: Progressing - lastTransitionTime: "2021-01-18T00:00:08Z" message: 'ImagePrunerDegraded: Job has reached the specified backoff limit' reason: ImagePrunerJobFailed status: "True" type: Degraded extension: null relatedObjects: - group: imageregistry.operator.openshift.io name: cluster resource: configs - group: imageregistry.operator.openshift.io name: cluster resource: imagepruners - group: rbac.authorization.k8s.io name: system:registry resource: clusterroles - group: rbac.authorization.k8s.io name: registry-registry-role resource: clusterrolebindings - group: rbac.authorization.k8s.io name: openshift-image-registry-pruner resource: clusterrolebindings - group: "" name: openshift-image-registry resource: namespaces versions: - name: operator version: 4.7.0-fc.2 ```