Cluster deploy timing issue may leave role bindings missing for hours

Question

Cluster deploy timing issue may leave role bindings missing for hours

rtheis opened this issue 4 years ago · 1 comments

There is a timing issue that may leave role bindings (see example OpenShift API server logs below) missing for hours after a cluster deployment. The missing shared-resource-viewers role binding causes oc new-app --name myapp https://github.com/openshift/nodejs-ex.git to fail
to build due to error error: build error: After retrying 2 times, Pull image still failed due to error: unauthorized: authentication required. There are likely other impacts beyond this example. Eventually the missing role bindings are created hours later thus allowing oc new-app to work.

E0413 16:44:39.080537       1 storage_rbac.go:316] unable to reconcile rolebinding.rbac.authorization.k8s.io/shared-resource-viewers in openshift: rolebindings.rbac.authorization.k8s.io "shared-resource-viewers" is forbidden: could not list rolebinding restrictions: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)

E0413 16:42:58.333934       1 storage_rbac.go:316] unable to reconcile rolebinding.rbac.authorization.k8s.io/system:node-config-reader in openshift-node: rolebindings.rbac.authorization.k8s.io "system:node-config-reader" is forbidden: could not list rolebinding restrictions: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)

Answer 1 · 2020-05-28T15:43:34.000Z

Moved to openshift/ibm-roks-toolkit#22.