Bug 1958983 - Handling GCP's: Error 400: Permission accesscontextmanager.accessLevels.list is not valid for this resource
Summary: Handling GCP's: Error 400: Permission accesscontextmanager.accessLevels.list ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.7.z
Assignee: Joel Diaz
QA Contact: wang lin
URL:
Whiteboard:
Depends On: 1953077
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-10 14:27 UTC by OpenShift BugZilla Robot
Modified: 2021-06-29 04:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A cluster on GCP using Passthrough mode will error when processing CredentialsRequest CRs referencing GCP Roles with pre-defined permissions that are not applicable to a GCP project. Consequence: GCP credentials that would otherwise be valid to satisfy a CredentialsRequest CR are rejected as invalid/missing permissions. Fix: Periodically fetch a list of permissions allowed to be tested against GCP projects, and use that list as a filter to ignore permissions that make not sense to test at the GCP project level. Result: CredentialsRequest CRs referencing pre-defined GCP Roles should work with the Cloud Credentials Operator in Passthrough mode no matter the permissions being requested.
Clone Of:
Environment:
Last Closed: 2021-06-29 04:19:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 338 0 None open [release-4.7] Bug 1958983: rework GCP passthrough permissions checking 2021-05-10 14:28:00 UTC
Red Hat Product Errata RHBA-2021:2502 0 None None None 2021-06-29 04:20:13 UTC

Comment 1 wang lin 2021-05-27 05:22:31 UTC
Verified this bug using the built by cluster-bot with PR https://github.com/openshift/cloud-credential-operator/pull/338 merged.

$ oc get clusterversion
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.ci.test-2021-05-27-041549-ci-ln-1j1yjy2-latest   True        False         27m     Cluster version is 4.7.0-0.ci.test-2021-05-27-041549-ci-ln-1j1yjy2-latest

Check cco is in passthrough mode
$ oc get secret -n kube-system gcp-credentials -o json | jq -r ".metadata.annotations"
{
  "cloudcredential.openshift.io/mode": "passthrough"
}

check cco logs,cco will ignore project scoped permission check, and won't hit the error.
#####
time="2021-05-27T04:56:09Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessLevels.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessZones.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.gcpUserAccessBindings.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of accesscontextmanager.servicePerimeters.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of assuredworkloads.operations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of assuredworkloads.workload.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.budgets.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.credits.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.resourceAssociations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of billing.subscriptions.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.associations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of consumerprocurement.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of consumerprocurement.orders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.campaigns.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.customerAllowlists.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.organizations.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:10Z" level=warning msg="Ignoring permission checking of securitycenter.notificationconfig.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="no existing secret found, will create one" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="secret created successfully" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds targetSecret=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="status has changed, updating" controller=credreq cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds secret=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:11Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-05-27T04:56:11Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:11Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:12Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:12Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:15Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:15Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:15Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:17Z" level=info msg="no existing secret found, will create one" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:17Z" level=info msg="secret created successfully" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs targetSecret=openshift-image-registry/installer-cloud-credentials
time="2021-05-27T04:56:17Z" level=info msg="status has changed, updating" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=openshift-image-registry/installer-cloud-credentials
time="2021-05-27T04:56:17Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:17Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:17Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-05-27T04:56:17Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:17Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:18Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:18Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:22Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:22Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-05-27T04:56:22Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:23Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-05-27T04:56:23Z" level=info msg="no existing secret found, will create one" actuator=gcp cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-05-27T04:56:23Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:23Z" level=info msg="secret created successfully" actuator=gcp cr=openshift-cloud-credential-operator/openshift-ingress-gcp targetSecret=openshift-ingress-operator/cloud-credentials
time="2021-05-27T04:56:23Z" level=info msg="status has changed, updating" controller=credreq cr=openshift-cloud-credential-operator/openshift-ingress-gcp secret=openshift-ingress-operator/cloud-credentials
time="2021-05-27T04:56:23Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-05-27T04:56:23Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-05-27T04:56:23Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:23Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:24Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:24Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:29Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-05-27T04:56:29Z" level=info msg="reconciling clusteroperator status"
time="2021-05-27T04:56:29Z" level=info msg="clusteroperator status updated" controller=status
time="2021-05-27T04:56:31Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-05-27T04:56:31Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-05-27T04:56:31Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-05-27T04:56:31Z" level=info msg="no existing secret found, will create one" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp

Comment 2 wang lin 2021-05-27 05:31:23 UTC
the bug is pre-merge verified. After the PR gets merged, the bug will be moved to VERIFIED by the bot automatically or, if not working, by me manually.

Comment 5 wang lin 2021-06-15 03:25:02 UTC
Verified on nightly build again, the issue has fixed
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-06-12-151209   True        False         76m     Cluster version is 4.7.0-0.nightly-2021-06-12-151209


$ oc get secret -n kube-system gcp-credentials -o json | jq -r ".metadata.annotations"
{
  "cloudcredential.openshift.io/mode": "passthrough"
}

$ oc logs -f cloud-credential-operator-685944f57-mnfqr -c cloud-credential-operator | grep "Ignoring"
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessLevels.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessZones.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.gcpUserAccessBindings.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of accesscontextmanager.servicePerimeters.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of assuredworkloads.operations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of assuredworkloads.workload.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.budgets.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.credits.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.resourceAssociations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of billing.subscriptions.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.associations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of consumerprocurement.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of consumerprocurement.orders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.campaigns.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.customerAllowlists.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.organizations.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T01:56:17Z" level=warning msg="Ignoring permission checking of securitycenter.notificationconfig.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:16Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-gcp-pd-csi-driver-operator
time="2021-06-15T03:06:16Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-gcp-pd-csi-driver-operator
time="2021-06-15T03:06:16Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-gcp-pd-csi-driver-operator
time="2021-06-15T03:06:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-06-15T03:06:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs
time="2021-06-15T03:06:17Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-ingress-gcp
time="2021-06-15T03:06:19Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-06-15T03:06:19Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-06-15T03:06:19Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/openshift-machine-api-gcp
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessLevels.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessPolicies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.accessZones.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.gcpUserAccessBindings.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.policies.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of accesscontextmanager.servicePerimeters.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of assuredworkloads.operations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of assuredworkloads.workload.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.budgets.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.credits.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.resourceAssociations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of billing.subscriptions.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.associations.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of cloudprivatecatalogproducer.catalogs.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of cloudsupport.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of consumerprocurement.accounts.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of consumerprocurement.orders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.campaigns.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of earlyaccesscenter.customerAllowlists.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.folders.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.organizations.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.projects.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.tagKeys.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.getIamPolicy at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of resourcemanager.tagValues.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
time="2021-06-15T03:06:20Z" level=warning msg="Ignoring permission checking of securitycenter.notificationconfig.list at project level" actuator=gcp cr=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds

Comment 6 OpenShift Automated Release Tooling 2021-06-17 12:29:08 UTC
OpenShift engineering has decided to not ship Red Hat OpenShift Container Platform 4.7.17 due a regression https://bugzilla.redhat.com/show_bug.cgi?id=1973006. All the fixes which were part of 4.7.17 will be now part of 4.7.18 and planned to be available in candidate channel on June 23 2021 and in fast channel on June 28th.

Comment 10 errata-xmlrpc 2021-06-29 04:19:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2502


Note You need to log in before you can comment on or make changes to this bug.