Bug 2104984 - Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations
Summary: Infrastructure operator missing clusterrole permissions for interacting with ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: multicluster engine for Kubernetes
Classification: Red Hat
Component: Infrastructure Operator
Version: 2.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: mce-2.1
Assignee: Michael Filanov
QA Contact: Chad Crum
Derek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-07 15:50 UTC by Trey West
Modified: 2022-09-06 22:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-06 22:33:25 UTC
Target Upstream Version:
Embargoed:
cbynum: multicluster-engine-2.1+
cbynum: multicluster-engine-2.1.z+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github stolostron backlog issues 24100 0 None None None 2022-07-07 18:23:11 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:34:29 UTC

Description Trey West 2022-07-07 15:50:33 UTC 
Description of the problem:

Infrastructure operator experiencing permission errors due to lacking permissions to create mutatingwebhookconfigurations.

This is indirectly causing validatingwebhookconfigurations to break, because the infrastructure operator is practically stuck in a loop hitting the mutatingwebhookconfigurations permissions errors and so it's not doing its job of reconciling other resources.

Release version:

Operator snapshot version:
MCE 2.1 (2.1.0-DOWNANDBACK-2022-07-07-08-17-35)

OCP version:
4.11

Steps to reproduce:
1. Install a hub cluster with 2.1.0-DOWNANDBACK-2022-07-07-08-17-35

Actual results:
Infrastructure operator pod cannot create mutatingwebhookconfigurations and is stuck in a loop
Expected results:
mutatingwebhookconfigurations created as expected and the operator is fully functional

Additional info:


Logs from infrastructure-operator pod:
W0707 15:49:37.175312       1 reflector.go:324] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:250: failed to list *v1.MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:multicluster-engine:assisted-service" cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope
E0707 15:49:37.175372       1 reflector.go:138] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:250: Failed to watch *v1.MutatingWebhookConfiguration: failed to list *v1.MutatingWebhookConfiguration: mutatingwebhookconfigurations.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:multicluster-engine:assisted-service" cannot list resource "mutatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope
Comment 1 Sarah Lavie 2022-07-10 08:38:48 UTC 
Solved by taking the newest operator build as far as I know.
Comment 2 Trey West 2022-07-12 12:26:39 UTC 
Verified that this behavior no longer occurs on 2.1.0-DOWNANDBACK-2022-07-08-09-45-12
Comment 6 errata-xmlrpc 2022-09-06 22:33:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6370
Note You need to log in before you can comment on or make changes to this bug.