Description of the problem: Unable to create a hypershift hosted cluster with Agent CAPI Provider using RHACM 2.5 bundled Assisted Service/Hive due to service account restrictions: admission webhook \"ocm.validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedClusterSet Release version: ACM 2.5.0-DOWNSTREAM-2022-02-21-19-58-55 OCP management cluster 4.10.0-0.nightly-2022-02-17-234353 Steps to reproduce: 1. Deploy OCP 4.10 via IPI BM in ipv4 env 2. Deploy RHACM 2.5 from DS snapshot and Assisted Service 3. Deploy Hypershift operator 4. Attempt to create hypershift managed cluster using agent capi provider Actual results: CAPI provider service account does not have rights to create the Cluster Deployment: CAPI provider pod logs: 2022-02-22T15:41:15.872Z ERROR controller.agentcluster Reconciler error {"reconciler group": "capi-provider.agent-install.openshift.io", "reconciler kind": "AgentCluster", "name": "hdhcp-0", "namespace": "clusters-hdhcp-0", "error": "admission webhook \"ocm .validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedClusterSet \"\""} time="2022-02-22T15:57:55Z" level=error msg="Failed to create ClusterDeployment" func="github.com/openshift/cluster-api-provider-agent/controllers.(*AgentClusterReconciler).createClusterDeployment" file="/workspace/controllers/agentcluster_controller.go:259" agent_cluster= hdhcp-0 agent_cluster_namespace=clusters-hdhcp-0 error="admission webhook \"ocm.validating.webhook.admission.open-cluster-management.io\" denied the request: user \"system:serviceaccount:clusters-hdhcp-0:capi-provider\" cannot add/remove the resource to/from ManagedCluster Set \"\"" Expected results: ClusterDeployment created successfully Additional info:
Currently in ACM, user want to provision a cluster, he/she must have join permission to managedClusterset(If the user do not specify the clusterset in clusterdeployment, the user must have join permission to all managedclusterset). So is it possible to add the permission to this service account? Permission: https://github.com/stolostron/multicloud-operators-foundation/blob/4445a66a872a56a2bb629b59d764c4b45c3d0fe7/deploy/foundation/hub/resources/clusterrole.yaml#L38 Code logic to validate it: https://github.com/stolostron/multicloud-operators-foundation/blob/4445a66a872a56a2bb629b59d764c4b45c3d0fe7/pkg/webhook/clusterset/validatingWebhook.go#L67
As discussed in https://coreos.slack.com/archives/C01FT9E4Q10/p1645603511153759 it should be ok now.
Fixed in : https://github.com/stolostron/multicloud-operators-foundation/pull/445
Validated this in 2.5.0-DOWNSTREAM-2022-03-22-18-59-30. I'm able to deploy a hypershift agent based hosted cluster and workers without errors.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4956
(In reply to daliu from comment #1) > Currently in ACM, user want to provision a cluster, he/she must have join > permission to managedClusterset(If the user do not specify the clusterset in > clusterdeployment, the user must have join permission to all > managedclusterset). > So is it possible to add the permission to this service account? > Permission: > https://github.com/stolostron/multicloud-operators-foundation/blob/ > 4445a66a872a56a2bb629b59d764c4b45c3d0fe7/deploy/foundation/hub/resources/ > https://madalinstuntcars.co > clusterrole.yaml#L38 > Code logic to validate it: > https://github.com/stolostron/multicloud-operators-foundation/blob/ > 4445a66a872a56a2bb629b59d764c4b45c3d0fe7/pkg/webhook/clusterset/ > validatingWebhook.go#L67 How about this registration problem?
@normanwolf2972126 For this issue, we already fixed in https://bugzilla.redhat.com/show_bug.cgi?id=2057060#c3 Do you have any new requirement or is there any new issues happened ?
This comment was flagged a spam, view the edit history to see the original text if required.
I totally like your gave limits as the post you passed on has some uncommon information which is totally essential for me. https://www.myfloridaaccess.me/
The solution worked for me https://www.myatriumhealth.us/
(In reply to daliu from comment #9) > Do you have any new requirement or is there any new issues happened ? It's a spam comment, there's an SEO link hidden in the middle of the comment.
Awesome and interesting article. Great things you’ve always shared with us. Thanks. Just continue composing this kind of post. https://www.screenmirroring.onl/screen-mirroring-your-android-phone-to-your-pc-without-root-using-mirrorgo/
Thanks for the information. https://www.mythdhr.ltd/