Bug 1955248 - OCP 4.8: Node Feature Discovery (NFD) Operator: serviceaccount "nfd-operator" not created when deployed from github latest master repo
Summary: OCP 4.8: Node Feature Discovery (NFD) Operator: serviceaccount "nfd-operato...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node Feature Discovery Operator
Version: 4.8
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
: 4.8.0
Assignee: Carlos Eduardo Arango Gutierrez
QA Contact: Walid A.
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-29 18:30 UTC by Walid A.
Modified: 2021-07-27 22:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 22:19:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-nfd-operator pull 159 0 None open Bug 1955248: fix kustomize for rbac roles 2021-04-29 20:13:35 UTC
Red Hat Product Errata RHBA-2021:2435 0 None None None 2021-07-27 22:19:38 UTC

Description Walid A. 2021-04-29 18:30:13 UTC 
Description of problem:
When deploying Node Feature Discovery (NFD) Operator on a GCP IPI cluster from latest github repo, it does not appear to be creating serviceaccount "nfd-operator" which is causing the operator to not deploy successfully:

[cluster-nfd-operator]# make deploy ORG=<username> PULLPOLICY=Always IMAGE_REGISTRY=quay.io/<username>
go: creating new go.mod: module tmp
Downloading sigs.k8s.io/kustomize/kustomize/v3.7
cd config/manager && /root/go/src/github.com/openshift/cluster-nfd-operator/bin/kustomize edit set image controller=quay.io/wabouham/cluster-nfd-operator:321c6cf9
/root/go/src/github.com/openshift/cluster-nfd-operator/bin/kustomize build config/default | kubectl apply -f -
namespace/openshift-nfd created
Warning: resource customresourcedefinitions/nodefeaturediscoveries.nfd.openshift.io is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/nodefeaturediscoveries.nfd.openshift.io configured
role.rbac.authorization.k8s.io/nfd-leader-election-role created
clusterrole.rbac.authorization.k8s.io/nfd-metrics-reader created
clusterrole.rbac.authorization.k8s.io/nfd-operator created
clusterrole.rbac.authorization.k8s.io/nfd-proxy-role created
rolebinding.rbac.authorization.k8s.io/nfd-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/nfd-operator created
clusterrolebinding.rbac.authorization.k8s.io/nfd-proxy-rolebinding created
configmap/nfd-manager-config created
service/nfd-controller-manager-metrics-service created
deployment.apps/nfd-controller-manager created

# oc get pods -n openshift-nfd
No resources found in openshift-nfd namespace.

# oc get all -n openshift-nfd
NAME                                             TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/nfd-controller-manager-metrics-service   ClusterIP   172.30.86.76   <none>        8443/TCP   2m8s
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nfd-controller-manager   0/1     0            0           2m7s
NAME                                               DESIRED   CURRENT   READY   AGE
replicaset.apps/nfd-controller-manager-bb7585555   1         0         0       2m7s

# oc get cm -n openshift-nfd
NAME                 DATA   AGE
kube-root-ca.crt     1      2m38s
nfd-manager-config   1      2m37s

# oc describe deployment -n openshift-nfd
Name:                   nfd-controller-manager
Namespace:              openshift-nfd
CreationTimestamp:      Thu, 29 Apr 2021 16:33:17 +0000
Labels:                 control-plane=controller-manager
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               control-plane=controller-manager
Replicas:               1 desired | 0 updated | 0 total | 0 available | 1 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           control-plane=controller-manager
  Service Account:  nfd-operator
  Containers:
   kube-rbac-proxy:
    Image:      gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
    Port:       8443/TCP
    Host Port:  0/TCP
    Args:
      --secure-listen-address=0.0.0.0:8443
      --upstream=http://127.0.0.1:8080/
      --logtostderr=true
      --v=10
    Environment:  <none>
    Mounts:       <none>
   manager:
    Image:      quay.io/wabouham/cluster-nfd-operator:321c6cf9
    Port:       <none>
    Host Port:  <none>
    Command:
      /node-feature-discovery-operator
    Args:
      --health-probe-bind-address=:8081
      --metrics-bind-address=127.0.0.1:8080
      --leader-elect
    Liveness:   http-get http://:8081/healthz delay=15s timeout=1s period=20s #success=1 #failure=3
    Readiness:  http-get http://:8081/readyz delay=5s timeout=1s period=10s #success=1 #failure=3
    Environment:
      WATCH_NAMESPACE:                (v1:metadata.namespace)
      POD_NAME:                       (v1:metadata.name)
      OPERATOR_NAME:                 cluster-nfd-operator
      NODE_FEATURE_DISCOVERY_IMAGE:  quay.io/openshift/origin-node-feature-discovery:4.8
    Mounts:                          <none>
  Volumes:                           <none>
Conditions:
  Type             Status  Reason
  ----             ------  ------
  Progressing      True    NewReplicaSetCreated
  Available        False   MinimumReplicasUnavailable
  ReplicaFailure   True    FailedCreate
OldReplicaSets:    <none>
NewReplicaSet:     nfd-controller-manager-bb7585555 (0/1 replicas created)
Events:
  Type    Reason             Age    From                   Message
  ----    ------             ----   ----                   -------
  Normal  ScalingReplicaSet  3m18s  deployment-controller  Scaled up replica set nfd-controller-manager-bb7585555 to 1

# oc get events -n openshift-nfd
LAST SEEN   TYPE      REASON              OBJECT                                        MESSAGE
2m10s       Warning   FailedCreate        replicaset/nfd-controller-manager-bb7585555   Error creating: pods "nfd-controller-manager-bb7585555-" is forbidden: error looking up service account openshift-nfd/nfd-operator: serviceaccount "nfd-operator" not found
4m54s       Normal    ScalingReplicaSet   deployment/nfd-controller-manager             Scaled up replica set nfd-controller-manager-bb7585555 to 1
4m56s       Normal    CreatedSCCRanges    namespace/openshift-nfd                       created SCC ranges


Version-Release number of selected component (if applicable):
Server Version: 4.8.0-0.nightly-2021-04-22-225832
Kubernetes Version: v1.21.0-rc.0+0ac2bde

How reproducible:
Every time

Steps to Reproduce:
1. Deploy IPI GCP cluster, 3 master and 3 worker nodes
2. git clone https://github.com/openshift/cluster-nfd-operator.git
3. cd cluster-nfd-operator
4. podman login to your quay.io account
5. Create local image:  ORG=<username> PULLPOLICY=Always IMAGE_REGISTRY=quay.io/<username> IMAGE_PUSH_CMD='podman push' IMAGE_BUILD_CMD='podman build' make image
6. podman push quay.io/<username>/cluster-nfd-operator:321c6cf9
7. make deploy ORG=<username> PULLPOLICY=Always IMAGE_REGISTRY=quay.io/<username>

Actual results:
Deployment of nfd-controller-manager fails
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nfd-controller-manager   0/1     0            0           2m7s

Expected results:
nfd-controller-manager deployment successful and completed

Additional info:
Comment 2 Walid A. 2021-05-05 20:00:21 UTC 
Verified on OCP version 4.8.0-fc.2, deployed nfd operator image just built from a cloned master repo and after we applied the nodefeaturesicoveries crd:

# make deploy ORG=wabouham PULLPOLICY=Always IMAGE_REGISTRY=quay.io/wabouham
go: creating new go.mod: module tmp
Downloading sigs.k8s.io/kustomize/kustomize/v3.7
cd config/manager && /root/go/src/github.com/openshift/cluster-nfd-operator/bin/kustomize edit set image controller=quay.io/wabouham/cluster-nfd-operator:8cbfd77a
/root/go/src/github.com/openshift/cluster-nfd-operator/bin/kustomize build config/default | kubectl apply -f -
namespace/openshift-nfd created
Warning: resource customresourcedefinitions/nodefeaturediscoveries.nfd.openshift.io is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
customresourcedefinition.apiextensions.k8s.io/nodefeaturediscoveries.nfd.openshift.io configured
serviceaccount/nfd-operator created
role.rbac.authorization.k8s.io/nfd-leader-election-role created
Warning: resource clusterroles/nfd-metrics-reader is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
clusterrole.rbac.authorization.k8s.io/nfd-metrics-reader configured
clusterrole.rbac.authorization.k8s.io/nfd-operator created
Warning: resource clusterroles/nfd-proxy-role is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
clusterrole.rbac.authorization.k8s.io/nfd-proxy-role configured
rolebinding.rbac.authorization.k8s.io/nfd-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/nfd-operator created
Warning: resource clusterrolebindings/nfd-proxy-rolebinding is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
clusterrolebinding.rbac.authorization.k8s.io/nfd-proxy-rolebinding configured
configmap/nfd-manager-config created
service/nfd-controller-manager-metrics-service created
deployment.apps/nfd-controller-manager created


# oc apply -f /root/go/src/github.com/openshift/cluster-nfd-operator/config/samples/nfd.openshift.io_v1_nodefeaturediscovery.yaml
nodefeaturediscovery.nfd.openshift.io/nfd-instance created

# oc get pods -n  default
NAME                                                              READY   STATUS      RESTARTS   AGE
ff0c8a9d7f0601070764733f0bae54bb0110a7e8d656898cd9afd0c7d8mv4v2   0/1     Completed   0          27h
quay-io-wabouham-nfd-operator-bundle-0-0-1                        1/1     Running     0          27h


# oc get pods -n openshift-nfd
NAME                                      READY   STATUS    RESTARTS   AGE
nfd-controller-manager-78cb596c66-x8mz7   2/2     Running   0          66m
nfd-master-4987p                          1/1     Running   0          16s
nfd-master-vdwns                          1/1     Running   0          16s
nfd-master-zdg58                          1/1     Running   0          16s
nfd-worker-jj27b                          1/1     Running   0          16s
nfd-worker-jn9xp                          1/1     Running   0          16s
nfd-worker-pk8fd                          1/1     Running   0          16s
Comment 5 errata-xmlrpc 2021-07-27 22:19:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.2 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2435
Note You need to log in before you can comment on or make changes to this bug.