patched clusterrole.yaml by adding trident-controller to section
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
new error in trident-operator
time="2023-02-01T11:30:13Z" level=error msg="Object creation failed." err="roles.rbac.authorization.k8s.io \"trident-node-linux\" is forbidden: user \"system:serviceaccount:trident:trident-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:trident\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"policy\"], Resources:[\"podsecuritypolicies\"], ResourceNames:[\"trident-node-linux\"], Verbs:[\"use\"]}" yamlDocument="---\nkind: Role\napiVersion: \"rbac.authorization.k8s.io/v1\"\nmetadata:\n namespace: trident\n name: trident-node-linux\n labels:\n app: node.csi.trident.netapp.io\n ownerReferences:\n - apiVersion: trident.netapp.io/v1\n controller: true\n kind: TridentOrchestrator\n name: trident\n uid: 88288ffc-a2e0-4ead-bd89-47a7730a4af3\nrules:\n - apiGroups: [\"policy\"]\n resources: [\"podsecuritypolicies\"]\n verbs: [\"use\"]\n resourceNames:\n - trident-node-linux\n"
patched clusterrole.yaml by adding trident-node-linux to section
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
now trident-operator starts without errors and all other pods (trident-controller, trident-node-linux) are created
tridentorchestrator events with kubectl -n trident describe tridentorchestrator trident are showing
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Installing 4m29s trident-operator.netapp.io Installing Trident
Normal Installed 4m18s trident-operator.netapp.io Trident installed
Warning Failed 3m2s (x23 over 4m14s) trident-operator.netapp.io Failed to install Trident; err: failed to create the Trident pod security policy; failed to create or patch Trident controller pod security policy; could not patch Trident Pod security policy; podsecuritypolicies.policy "trident-controller" is forbidden: User "system:serviceaccount:trident:trident-operator" cannot patch resource "podsecuritypolicies" in API group "policy" at the cluster scope
patched clusterrole.yaml by adding trident-controller to section
Describe the bug
Installing new trident version
v23.01.0
trident-operator
starts but errors withclusterrole.yaml
by addingtrident-controller
to sectiontrident-operator
clusterrole.yaml
by addingtrident-node-linux
to sectiontrident-operator
starts without errors and all other pods (trident-controller
,trident-node-linux
) are createdtridentorchestrator
events withkubectl -n trident describe tridentorchestrator trident
are showingclusterrole.yaml
by addingtrident-controller
to sectionNow everything works.
Environment
v23.01.0
v20.10.21
v1.23.8
v2.7.1
To Reproduce see description
Expected behavior start trident without the need to patch clusterroles