cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

[occm] Fix incorrect SA name in auth-delegate clusterRoleBiding in OCCM helm chart

Open HaoruiPeng opened this issue 4 months ago • 4 comments

What this PR does / why we need it:

OCCM helm chart binds clusterrole 'system:auth-delegator' to service account openstack-cloud-controller-manager for service monitor, the value is read from occm.name. However the correct SA name created by the chart is 'cloud-controller-manager', value read from .Values.serviceAccountName.

Which issue this PR fixes(if applicable): The wrong SA name caused that the service monitor fails the authentication to create tokenreviews: Error message:

Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openstack-system:cloud-controller-manager" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope

Special notes for reviewers:

Release note:

NONE

HaoruiPeng avatar Jun 09 '25 12:06 HaoruiPeng