Bug 1936707 - New CSV using ServiceAccount named "default" stuck in Pending during upgrade
Summary: New CSV using ServiceAccount named "default" stuck in Pending during upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.z
Assignee: Ben Luddy
QA Contact: Bruno Andrade
URL:
Whiteboard:
Depends On: 1935909
Blocks: 1940649
TreeView+ depends on / blocked
 
Reported: 2021-03-09 00:04 UTC by OpenShift BugZilla Robot
Modified: 2021-03-30 04:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1940649 (view as bug list)
Environment:
Last Closed: 2021-03-30 04:46:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-lifecycle-manager pull 2034 0 None open [release-4.7] Bug 1936707: Allow non-CSV-owned ServiceAccounts to satisfy CSV requirements. 2021-03-09 19:48:40 UTC
Red Hat Product Errata RHSA-2021:0957 0 None None None 2021-03-30 04:46:44 UTC

Description OpenShift BugZilla Robot 2021-03-09 00:04:19 UTC
+++ This bug was initially created as a clone of Bug #1935909 +++

Description of problem:

If an operator's ClusterServiceVersion specifies serviceAccountName "default", and the ServiceAccount "default" has an owner reference to a resource that is not a ClusterServiceVersion, then the CSV's status will indicate that its ServiceAccount requirement is PresentNotSatisfied:

- Kind:     ServiceAccount
  Message:  Service account is not owned by this ClusterServiceVersion
  Name:     default
  Status:   PresentNotSatisfied

Version-Release number of selected component (if applicable): 4.5

Regressed as part of a fix for another issue that has since been backported to 4.5.z (https://bugzilla.redhat.com/show_bug.cgi?id=1904584).

How reproducible: Always

Steps to Reproduce:
1. Ensure that a ServiceAccount exists named "default" and with an owner reference to any namespaced resource that is NOT a ClusterServiceVersion.
2. Create a CSV whose deployment strategy permissions use serviceAccountName "default". Small sample CSV here:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  name: sad-csv
  namespace: operators
spec:
  apiservicedefinitions: {}
  customresourcedefinitions: {}
  displayName: Sad Operator
  install:
    spec:
      permissions:
      - serviceAccountName: default
        rules: []
      deployments:
      - name: sad-deployment
        spec:
          selector:
            matchLabels:
              app: sad
          template:
            metadata:
              labels:
                app: sad
            spec:
              containers:
              - image: bitnami/nginx
                name: sad
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: true
    type: MultiNamespace
  - supported: true
    type: AllNamespaces

3. Look at the status of the created CSV.

Actual results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: Service account is not owned by this ClusterServiceVersion
    name: default
    status: PresentNotSatisfied
    version: v1

Expected results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1

Comment 2 Bruno Andrade 2021-03-19 15:24:57 UTC
Looks good, steps used to reproduce it:

OCP Version: 4.7.0-0.nightly-2021-03-19-061202
OLM version: 0.17.0
git commit: e0b766f81141b5409940ecb10d9b5ae572e52a4c


1) Create the namespace and the default service account is present

oc get sa default -n test-operators -o yaml     
apiVersion: v1
imagePullSecrets:
- name: default-dockercfg-lmvgz
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-03-19T15:13:54Z"
  name: default
  namespace: test-operators
  resourceVersion: "51727"
  selfLink: /api/v1/namespaces/test-operators/serviceaccounts/default
  uid: 4e06ab87-0dce-4cfd-b035-7555b4bac4b1
secrets:
- name: default-token-95ttq
- name: default-dockercfg-lmvgz

2) Create the operator group
3) Create the CSV as oriented
4) Check if CSV installation succeeds.
  phase: Succeeded
  reason: InstallSucceeded
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1

Comment 5 errata-xmlrpc 2021-03-30 04:46:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.4 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0957


Note You need to log in before you can comment on or make changes to this bug.