1995824 – CDI permission error fills up logs

Bug 1995824 - CDI permission error fills up logs

Summary: CDI permission error fills up logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.9.2
Assignee:	Alex Kalenyuk
QA Contact:	Yan Du
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-19 20:08 UTC by Adam Litke
Modified:	2022-01-19 17:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:	CNV v4.9.2-15
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-19 17:49:52 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt containerized-data-importer pull 2055	None	Merged	used uncached client to get cluster proxy configmap	2022-01-16 09:50:47 UTC
Github	kubevirt containerized-data-importer pull 2057	None	Merged	[release-v1.38] used uncached client to get cluster proxy configmap (#2055)	2022-01-16 09:52:09 UTC
Red Hat Product Errata	RHSA-2022:0191	None	None	None	2022-01-19 17:51:06 UTC

Description Adam Litke 2021-08-19 20:08:34 UTC

Description of problem:

On a cluster otherwise behaving normally, the following error message can be seen repeatedly (~ every 30s) in the logs of the cdi-deployment Pod:

1 reflector.go:138] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:229: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cnv:cdi-sa" cannot list resource "configmaps" in API group "" at the cluster scope



Version-Release number of selected component (if applicable): 4.8.4


How reproducible: Always


Steps to Reproduce:
1. Install OpenShift Virtualization :)

Comment 6 Adam Litke 2021-09-14 16:26:38 UTC

Still unsure how reproducible this is and/or if it was a transient error in a specific OCP version.  Pushing to 4.9.1 to get some more time to gather information.

Comment 9 Adam Litke 2021-11-02 13:41:50 UTC

This permission error was related to an Openshift bug which was fixed.  We can no longer reproduce this error.

Comment 10 Ramon Gordillo 2021-12-21 11:45:32 UTC

E1221 11:41:32.762292       1 reflector.go:138] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:229: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cnv:cdi-sa" cannot list resource "configmaps" in API group "" at the cluster scope

Fresh 4.9.1 installation on OCP 4.9.11

Comment 12 Adam Litke 2022-01-12 18:30:54 UTC

Yes I'll reopen.

Comment 13 Yan Du 2022-01-18 07:03:57 UTC

Test this bug on several OCP-4.9.15, CNV-v4.9.2-27 clusters
Can not reproduce this error.

Comment 19 errata-xmlrpc 2022-01-19 17:49:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.9.2 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0191

Note You need to log in before you can comment on or make changes to this bug.