Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release v23.01.0: missing clusterroles #799

Closed
khassel opened this issue Feb 1, 2023 · 1 comment
Closed

release v23.01.0: missing clusterroles #799

khassel opened this issue Feb 1, 2023 · 1 comment
Labels
bug tracked

Comments

@khassel
Copy link

khassel commented Feb 1, 2023

Describe the bug

Installing new trident version v23.01.0

  • trident-operator starts but errors with
time="2023-02-01T11:28:27Z" level=error msg="Object creation failed." err="clusterroles.rbac.authorization.k8s.io \"trident-controller\" is forbidden: user \"system:serviceaccount:trident:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:trident\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-controller\"], Verbs:[\"use\"]}" yamlDocument="---\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n  name: trident-controller\n  labels:\n    trident_version: v23.01.0\n    app: controller.csi.trident.netapp.io\n    k8s_version: v1.23.8\n  ownerReferences:\n  - controller: true\n    kind: TridentOrchestrator\n    name: trident\n    uid: 88288ffc-a2e0-4ead-bd89-47a7730a4af3\n    apiVersion: trident.netapp.io/v1\nrules:\n  - apiGroups: [\"\"]\n    resources: [\"namespaces\"]\n    verbs: [\"get\", \"list\"]\n  - apiGroups: [\"\"]\n    resources: [\"persistentvolumes\"]\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n  - apiGroups: [\"\"]\n    resources: [\"persistentvolumeclaims\"]\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\"]\n  - apiGroups: [\"\"]\n    resources: [\"persistentvolumeclaims/status\"]\n    verbs: [\"update\", \"patch\"]\n  - apiGroups: [\"storage.k8s.io\"]\n    resources: [\"storageclasses\"]\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n  - apiGroups: [\"\"]\n    resources: [\"events\"]\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\"]\n  - apiGroups: [\"\"]\n    resources: [\"resourcequotas\"]\n    verbs: [\"get\", \"list\", \"delete\", \"patch\"]\n  - apiGroups: [\"\"]\n    resources: [\"pods\"]\n    verbs: [\"get\", \"list\", \"watch\"]\n  - apiGroups: [\"\"]\n    resources: [\"nodes\"]\n    verbs: [\"get\", \"list\", \"watch\"]\n  - apiGroups: [\"storage.k8s.io\"]\n    resources: [\"volumeattachments\"]\n    verbs: [\"get\", \"list\", \"watch\", \"update\", \"patch\"]\n  - apiGroups: [\"storage.k8s.io\"]\n    resources: [\"volumeattachments/status\"]\n    verbs: [\"update\", \"patch\"]\n  - apiGroups: [\"snapshot.storage.k8s.io\"]\n    resources: [\"volumesnapshots\", \"volumesnapshotclasses\"]\n    verbs: [\"get\", \"list\", \"watch\"]\n  - apiGroups: [\"snapshot.storage.k8s.io\"]\n    resources: [\"volumesnapshots/status\", \"volumesnapshotcontents/status\"]\n    verbs: [\"update\", \"patch\"]\n  - apiGroups: [\"snapshot.storage.k8s.io\"]\n    resources: [\"volumesnapshotcontents\"]\n    verbs: [\"get\", \"list\", \"watch\", \"update\", \"patch\"]\n  - apiGroups: [\"storage.k8s.io\"]\n    resources: [\"csinodes\"]\n    verbs: [\"get\", \"list\", \"watch\"]\n  - apiGroups: [\"trident.netapp.io\"]\n    resources: [\"tridentversions\", \"tridentbackends\", \"tridentstorageclasses\", \"tridentvolumes\",\"tridentnodes\",\n\"tridenttransactions\", \"tridentsnapshots\", \"tridentbackendconfigs\", \"tridentbackendconfigs/status\",\n\"tridentmirrorrelationships\", \"tridentmirrorrelationships/status\", \"tridentsnapshotinfos\",\n\"tridentsnapshotinfos/status\", \"tridentvolumepublications\", \"tridentvolumereferences\"]\n    verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n  - apiGroups: [\"policy\"]\n    resources: [\"podsecuritypolicies\"]\n    verbs: [\"use\"]\n    resourceNames:\n      - trident-controller\n"
  • patched clusterrole.yaml by adding trident-controller to section
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
  • new error in trident-operator
time="2023-02-01T11:30:13Z" level=error msg="Object creation failed." err="roles.rbac.authorization.k8s.io \"trident-node-linux\" is forbidden: user \"system:serviceaccount:trident:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:trident\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-node-linux\"], Verbs:[\"use\"]}" yamlDocument="---\nkind: Role\napiVersion: \"rbac.authorization.k8s.io/v1\"\nmetadata:\n  namespace: trident\n  name: trident-node-linux\n  labels:\n    app: node.csi.trident.netapp.io\n  ownerReferences:\n  - apiVersion: trident.netapp.io/v1\n    controller: true\n    kind: TridentOrchestrator\n    name: trident\n    uid: 88288ffc-a2e0-4ead-bd89-47a7730a4af3\nrules:\n  - apiGroups: [\"policy\"]\n    resources: [\"podsecuritypolicies\"]\n    verbs: [\"use\"]\n    resourceNames:\n      - trident-node-linux\n"
  • patched clusterrole.yaml by adding trident-node-linux to section
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - use
  • now trident-operator starts without errors and all other pods (trident-controller, trident-node-linux) are created
  • tridentorchestrator events with kubectl -n trident describe tridentorchestrator trident are showing
Events:
  Type     Reason      Age                    From                        Message
  ----     ------      ----                   ----                        -------
  Normal   Installing  4m29s                  trident-operator.netapp.io  Installing Trident
  Normal   Installed   4m18s                  trident-operator.netapp.io  Trident installed
  Warning  Failed      3m2s (x23 over 4m14s)  trident-operator.netapp.io  Failed to install Trident; err: failed to create the Trident pod security policy; failed to create or patch Trident controller pod security policy; could not patch Trident Pod security policy; podsecuritypolicies.policy "trident-controller" is forbidden: User "system:serviceaccount:trident:trident-operator" cannot patch resource "podsecuritypolicies" in API group "policy" at the cluster scope
  • patched clusterrole.yaml by adding trident-controller to section
  - apiGroups:
      - policy
    resources:
      - podsecuritypolicies
    verbs:
      - delete
      - update
      - patch

Now everything works.

Environment

  • Trident version: v23.01.0
  • Container runtime: Docker v20.10.21
  • Kubernetes version: v1.23.8
  • Kubernetes orchestrator: Rancher v2.7.1
  • OS: centos7
  • NetApp backend types: ONTAP SAN

To Reproduce
see description

Expected behavior
start trident without the need to patch clusterroles
@khassel khassel added the bug label Feb 1, 2023
@gnarl gnarl added the tracked label Feb 1, 2023
@gnarl
Copy link
Contributor

gnarl commented Feb 21, 2023

This issue is fixed with commit a3aca40 and will be included in the next Trident release.

@gnarl gnarl closed this as completed Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug tracked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnarl @khassel