1918375 – [calico] rbac-proxy container in kube-proxy fails to create tokenreviews

Bug 1918375 - [calico] rbac-proxy container in kube-proxy fails to create tokenreviews

Summary: [calico] rbac-proxy container in kube-proxy fails to create tokenreviews

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Alexander Constantinescu
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1967972
TreeView+	depends on / blocked

Reported:	2021-01-20 15:10 UTC by Cesar Wong
Modified:	2021-06-04 16:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-24 15:55:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-network-operator pull 960	0	None	closed	Bug 1918375: Add tokenreviews permissions for kube-proxy	2021-06-04 16:43:50 UTC
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:55:35 UTC

Description Cesar Wong 2021-01-20 15:10:14 UTC

Description of problem:
When using Calico as the network provider, the rbac-proxy container in kube-proxy pods fails to create token reviews.

Version-Release number of selected component (if applicable):
4.7

Steps to Reproduce:
1. Install OpenShift with Calico as the network provider
2. Inspect log of the rbac-proxy container in kube-proxy pod(s)

Actual results:
The following error appears in the log:
E0119 18:57:17.512404       1 proxy.go:73] Unable to authenticate the request due to an error: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-kube-proxy:openshift-kube-proxy" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope

Expected results:
No errors appear in the log

Additional info:
e2e test: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_release/15053/rehearse-15053-release-openshift-origin-installer-e2e-aws-calico-4.7/1351588780695359488
rbac-proxy log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/15053/rehearse-15053-release-openshift-origin-installer-e2e-aws-calico-4.7/1351588780695359488/artifacts/e2e-aws/pods/openshift-kube-proxy_openshift-kube-proxy-56vl7_kube-rbac-proxy.log

Comment 1 zhaozhanqi 2021-02-08 07:38:48 UTC

verified the fixed PR with cluster-bot deploy one cluster by 'launch openshift/cluster-network-operator#960 aws'

and then deploy cluster with Calico plugin, no found above error:


# oc get pod -n openshift-kube-proxy
NAME                         READY   STATUS    RESTARTS   AGE
openshift-kube-proxy-4fmsd   2/2     Running   0          4h22m
openshift-kube-proxy-6gpzn   2/2     Running   0          4h22m
openshift-kube-proxy-glsl4   2/2     Running   0          4h24m
openshift-kube-proxy-kc2g7   2/2     Running   0          4h32m
openshift-kube-proxy-nrxsm   2/2     Running   0          4h32m
openshift-kube-proxy-w68gx   2/2     Running   0          4h32m
# oc logs openshift-kube-proxy-4fmsd -n openshift-kube-proxy
error: a container name must be specified for pod openshift-kube-proxy-4fmsd, choose one of: [kube-proxy kube-rbac-proxy]

[root@preserve-zzhao 207]# oc logs openshift-kube-proxy-4fmsd -n openshift-kube-proxy -c kube-rbac-proxy
I0208 03:12:34.271077       1 main.go:190] Valid token audiences: 
I0208 03:12:34.271170       1 main.go:278] Reading certificate files
I0208 03:12:34.271399       1 main.go:311] Starting TCP socket on :9102
I0208 03:12:34.271713       1 main.go:318] Listening securely on :9102

Comment 3 zhaozhanqi 2021-02-09 03:29:02 UTC

Move to verified according to comment 1

Comment 6 errata-xmlrpc 2021-02-24 15:55:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.