release v23.01.0: missing clusterroles #799
Description
Describe the bug
Installing new trident version v23.01.0
trident-operatorstarts but errors with
time="2023-02-01T11:28:27Z" level=error msg="Object creation failed." err="clusterroles.rbac.authorization.k8s.io \"trident-controller\" is forbidden: user \"system:serviceaccount:trident:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:trident\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-controller\"], Verbs:[\"use\"]}" yamlDocument="---\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: trident-controller\n labels:\n trident_version: v23.01.0\n app: controller.csi.trident.netapp.io\n k8s_version: v1.23.8\n ownerReferences:\n - controller: true\n kind: TridentOrchestrator\n name: trident\n uid: 88288ffc-a2e0-4ead-bd89-47a7730a4af3\n apiVersion: trident.netapp.io/v1\nrules:\n - apiGroups: [\"\"]\n resources: [\"namespaces\"]\n verbs: [\"get\", \"list\"]\n - apiGroups: [\"\"]\n resources: [\"persistentvolumes\"]\n verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n - apiGroups: [\"\"]\n resources: [\"persistentvolumeclaims\"]\n verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\"]\n - apiGroups: [\"\"]\n resources: [\"persistentvolumeclaims/status\"]\n verbs: [\"update\", \"patch\"]\n - apiGroups: [\"storage.k8s.io\"]\n resources: [\"storageclasses\"]\n verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n - apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"get\", \"list\", \"watch\", \"create\", \"update\", \"patch\"]\n - apiGroups: [\"\"]\n resources: [\"resourcequotas\"]\n verbs: [\"get\", \"list\", \"delete\", \"patch\"]\n - apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"\"]\n resources: [\"nodes\"]\n verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"storage.k8s.io\"]\n resources: [\"volumeattachments\"]\n verbs: [\"get\", \"list\", \"watch\", \"update\", \"patch\"]\n - apiGroups: [\"storage.k8s.io\"]\n resources: [\"volumeattachments/status\"]\n verbs: [\"update\", \"patch\"]\n - apiGroups: [\"snapshot.storage.k8s.io\"]\n resources: [\"volumesnapshots\", \"volumesnapshotclasses\"]\n verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"snapshot.storage.k8s.io\"]\n resources: [\"volumesnapshots/status\", \"volumesnapshotcontents/status\"]\n verbs: [\"update\", \"patch\"]\n - apiGroups: [\"snapshot.storage.k8s.io\"]\n resources: [\"volumesnapshotcontents\"]\n verbs: [\"get\", \"list\", \"watch\", \"update\", \"patch\"]\n - apiGroups: [\"storage.k8s.io\"]\n resources: [\"csinodes\"]\n verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"trident.netapp.io\"]\n resources: [\"tridentversions\", \"tridentbackends\", \"tridentstorageclasses\", \"tridentvolumes\",\"tridentnodes\",\n\"tridenttransactions\", \"tridentsnapshots\", \"tridentbackendconfigs\", \"tridentbackendconfigs/status\",\n\"tridentmirrorrelationships\", \"tridentmirrorrelationships/status\", \"tridentsnapshotinfos\",\n\"tridentsnapshotinfos/status\", \"tridentvolumepublications\", \"tridentvolumereferences\"]\n verbs: [\"get\", \"list\", \"watch\", \"create\", \"delete\", \"update\", \"patch\"]\n - apiGroups: [\"policy\"]\n resources: [\"podsecuritypolicies\"]\n verbs: [\"use\"]\n resourceNames:\n - trident-controller\n"- patched
clusterrole.yamlby addingtrident-controllerto section
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use- new error in
trident-operator
time="2023-02-01T11:30:13Z" level=error msg="Object creation failed." err="roles.rbac.authorization.k8s.io \"trident-node-linux\" is forbidden: user \"system:serviceaccount:trident:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:trident\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-node-linux\"], Verbs:[\"use\"]}" yamlDocument="---\nkind: Role\napiVersion: \"rbac.authorization.k8s.io/v1\"\nmetadata:\n namespace: trident\n name: trident-node-linux\n labels:\n app: node.csi.trident.netapp.io\n ownerReferences:\n - apiVersion: trident.netapp.io/v1\n controller: true\n kind: TridentOrchestrator\n name: trident\n uid: 88288ffc-a2e0-4ead-bd89-47a7730a4af3\nrules:\n - apiGroups: [\"policy\"]\n resources: [\"podsecuritypolicies\"]\n verbs: [\"use\"]\n resourceNames:\n - trident-node-linux\n"- patched
clusterrole.yamlby addingtrident-node-linuxto section
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use- now
trident-operatorstarts without errors and all other pods (trident-controller,trident-node-linux) are created tridentorchestratorevents withkubectl -n trident describe tridentorchestrator tridentare showing
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Installing 4m29s trident-operator.netapp.io Installing Trident
Normal Installed 4m18s trident-operator.netapp.io Trident installed
Warning Failed 3m2s (x23 over 4m14s) trident-operator.netapp.io Failed to install Trident; err: failed to create the Trident pod security policy; failed to create or patch Trident controller pod security policy; could not patch Trident Pod security policy; podsecuritypolicies.policy "trident-controller" is forbidden: User "system:serviceaccount:trident:trident-operator" cannot patch resource "podsecuritypolicies" in API group "policy" at the cluster scope
- patched
clusterrole.yamlby addingtrident-controllerto section
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- delete
- update
- patchNow everything works.
Environment
- Trident version:
v23.01.0 - Container runtime: Docker
v20.10.21 - Kubernetes version:
v1.23.8 - Kubernetes orchestrator: Rancher
v2.7.1 - OS: centos7
- NetApp backend types: ONTAP SAN
To Reproduce
see description
Expected behavior
start trident without the need to patch clusterroles