search

bcgov / platform-services-edb-template

This repo contains documentation and templates for the use of EDB and its operator.
Apache License 2.0
0 stars 0 forks source link

Operator update fails, but only for some namespaces. #4

Closed caggles closed 3 years ago

caggles commented 3 years ago

When I issue oc describe clusterserviceversion cloud-native-postgresql.v1.3.0 on a broken instance of the operator, you get a whole bunch of info on the status of the upgrade, which includes the following overall status message:

    Kind:       ServiceAccount
    Message:    Policy rule not satisfied for service account
    Name:       postgresql-operator-manager
    Status:     PresentNotSatisfied
    Version:    v1

Further investigation into the problematic policy rule nets us:

      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  cluster rule:{"verbs":["create","get","list","patch","update","watch"],"apiGroups":[""],"resources":["serviceaccounts"]}
      Status:   NotSatisfied

In digging around to figure out why this is happening, I tried oc policy who-can watch serviceaccounts which produced a list including these entries:

        system:serviceaccount:d893f6-prod:postgresql-operator-manager
        system:serviceaccount:edb-operator:postgresql-operator-manager

The operators for these namespaces seem to have updated just fine. The rest of the operators, however, failed to update - even the one in d893f6-test even though that's the same team. WTF.

I'm still trying to figure out what the difference is between d893f6-prod and everyone else.