Skip to content

Fix RBAC for leader election

Alexandre Lossent requested to merge fix_rbac_leader_election into master

I encountered the following error after a pod was evicted, landb operator was stuck:

d67dfd57-9ftsp"}
{"level":"info","ts":1600452039.899802,"logger":"leader","msg":"Deleting evicted leader."}
{"level":"error","ts":1600452039.9024239,"logger":"leader","msg":"Leader pod could not be deleted.","error":"pods \"landb-operator-5cd67dfd57-9ftsp\" is forbidden: User \"system:serviceaccount:openshift-cern-landb:landb-operator\" cannot delete resource \"pods\" in API group \"\" in the namespace \"openshift-cern-landb\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\tpkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/leader.Become\n\tsrc/github.com/operator-framework/operator-sdk/pkg/leader/leader.go:132\ngithub.com/operator-framework/operator-sdk/pkg/ansible.Run\n\tsrc/github.com/operator-framework/operator-sdk/pkg/ansible/run.go:162\ngithub.com/operator-framework/operator-sdk/cmd/operator-sdk/execentrypoint.newRunAnsibleCmd.func1\n\tsrc/github.com/operator-framework/operator-sdk/cmd/operator-sdk/execentrypoint/ansible.go:44\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/cobra@v0.0.5/command.go:826\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/cobra@v0.0.5/command.go:914\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/cobra@v0.0.5/command.go:864\nmain.main\n\tsrc/github.com/operator-framework/operator-sdk/cmd/operator-sdk/main.go:39\nruntime.main\n\t/home/travis/.gimme/versions/go1.13.11.linux.amd64/src/runtime/proc.go:203"}

Indeed:

# oc get pod -n openshift-cern-landb
NAME                              READY   STATUS    RESTARTS   AGE
landb-operator-5cd67dfd57-9ftsp   0/1     Evicted   0          35d
landb-operator-5cd67dfd57-fnv26   1/1     Running   7          20d

I imported missing permissions from https://gitlab.cern.ch/paas-tools/operators/landb-operator/-/blob/master/deploy/role.yaml

Merge request reports