cloud-provider-openstack
cloud-provider-openstack copied to clipboard
Published
20 hours ago •
kubernetes
kubernetes
[manila-csi-plugin] Missing RBACs with external-snapshotter v6
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
Creating a snapshot with external-snapshotter v6 causes following error:
0923 15:08:15.277833 1 snapshot_controller.go:189] updating VolumeSnapshotContent[snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be] error status failed volumesnapshotcontents.snapshot.storage.k8s.io "snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be" is forbidden: User "system:serviceaccount:default:c-openstack-manila-csi-controllerplugin" cannot patch resource "volumesnapshotcontents/status" in API group "snapshot.storage.k8s.io" at the cluster scope
E0923 15:08:15.277851 1 snapshot_controller.go:107] createSnapshot for content [snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be]: error occurred in createSnapshotWrapper: failed to add VolumeSnapshotBeingCreated annotation on the content snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be: "snapshot controller failed to update snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be on API server: volumesnapshotcontents.snapshot.storage.k8s.io \"snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be\" is forbidden: User \"system:serviceaccount:default:c-openstack-manila-csi-controllerplugin\" cannot patch resource \"volumesnapshotcontents\" in API group \"snapshot.storage.k8s.io\" at the cluster scope"
E0923 15:08:15.277858 1 snapshot_controller_base.go:283] could not sync content "snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be": failed to add VolumeSnapshotBeingCreated annotation on the content snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be: "snapshot controller failed to update snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be on API server: volumesnapshotcontents.snapshot.storage.k8s.io \"snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be\" is forbidden: User \"system:serviceaccount:default:c-openstack-manila-csi-controllerplugin\" cannot patch resource \"volumesnapshotcontents\" in API group \"snapshot.storage.k8s.io\" at the cluster scope"
I0923 15:08:15.277911 1 event.go:285] Event(v1.ObjectReference{Kind:"VolumeSnapshotContent", Namespace:"", Name:"snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be", UID:"e5d7c573-5fc8-406a-b9bc-c53b1c073bc7", APIVersion:"snapshot.storage.k8s.io/v1", ResourceVersion:"339472", FieldPath:""}): type: 'Warning' reason: 'SnapshotCreationFailed' Failed to create snapshot: failed to add VolumeSnapshotBeingCreated annotation on the content snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be: "snapshot controller failed to update snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be on API server: volumesnapshotcontents.snapshot.storage.k8s.io \"snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be\" is forbidden: User \"system:serviceaccount:default:c-openstack-manila-csi-controllerplugin\" cannot patch resource \"volumesnapshotcontents\" in API group \"snapshot.storage.k8s.io\" at the cluster scope"
I0923 15:08:15.277935 1 snapshot_controller_base.go:185] Failed to sync content "snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be", will retry again: failed to add VolumeSnapshotBeingCreated annotation on the content snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be: "snapshot controller failed to update snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be on API server: volumesnapshotcontents.snapshot.storage.k8s.io \"snapcontent-17d7d978-68e5-40e5-8096-bf52e385f6be\" is forbidden: User \"system:serviceaccount:default:c-openstack-manila-csi-controllerplugin\" cannot patch resource \"volumesnapshotcontents\" in API group \"snapshot.storage.k8s.io\" at the cluster scope"
We need to add the patch verb for the respective API resources.
What you expected to happen:
Creating a snapshot should succeed.
How to reproduce it:
Cluster with snapshot-controller v6. Deploy the driver with external-snapshotter v6.0.1 and try to create a snapshot.
Anything else we need to know?:
Environment:
- openstack-cloud-controller-manager(or other related binary) version:
- OpenStack version:
- Others:
