2059187 – [Secondary Scheduler] - key failed with : serviceaccounts "secondary-scheduler" is forbidden

Bug 2059187 - [Secondary Scheduler] - key failed with : serviceaccounts "secondary-scheduler" is forbidden

Summary: [Secondary Scheduler] - key failed with : serviceaccounts "secondary-schedul...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-scheduler
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Jan Chaloupka
QA Contact:	RamaKasturi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-28 12:56 UTC by RamaKasturi
Modified:	2022-08-10 10:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-10 10:51:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift secondary-scheduler-operator pull 23	0	None	Merged	bug 2059187: CSV: add missing serviceaccounts RBAC rule	2022-02-28 13:57:31 UTC
Red Hat Product Errata	RHSA-2022:5069	0	None	None	None	2022-08-10 10:51:56 UTC

Description RamaKasturi 2022-02-28 12:56:57 UTC

Description of problem:
I see that CR instance of secondary scheduler operator does not get created and below error is seen in the scheduler logs.

E0228 10:52:16.282598       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:02:16.286321       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:02:16.290806       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:08:25.709429       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:08:25.715570       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:12:16.275984       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:12:16.280316       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"


Version-Release number of selected component (if applicable):
secondary-scheduler-operator-container-v1.0-5

How reproducible:
Always

Steps to Reproduce:
1. Install latest 4.10 cluster
2. Install secondary scheduler operator
3. create configmap using the file https://github.com/openshift/secondary-scheduler-operator/blob/master/deploy/06_configmap.yaml
4. create instance for CR with name secondary-scheduler

Actual results:
I see that CR instance does not get created and looking at the scheduler operator logs hit below error.

I0228 11:08:25.709429       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:08:25.715570       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"
I0228 11:12:16.275984       1 target_config_reconciler.go:129] Find ConfigMap customized for the secondaryscheduler.
E0228 11:12:16.280316       1 target_config_reconciler.go:278] key failed with : serviceaccounts "secondary-scheduler" is forbidden: User "system:serviceaccount:openshift-secondary-scheduler-operator:secondary-scheduler" cannot get resource "serviceaccounts" in API group "" in the namespace "openshift-secondary-scheduler-operator"


Expected results:
RBAC should not be missed for serviceaccounts


Additional info:
https://github.com/openshift/secondary-scheduler-operator/blob/master/manifests/cluster-secondary-scheduler-operator.clusterserviceversion.yaml#L101 is missing the serviceaccounts RBAC. Compared to https://github.com/openshift/secondary-scheduler-operator/blob/master/deploy/02_clusterrole.yaml#L22.

Comment 3 RamaKasturi 2022-03-03 10:10:51 UTC

Verified with the latest SSO and do not see this issue anymore. Based on this moving bug to verified state.

Comment 6 errata-xmlrpc 2022-08-10 10:51:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.