Skip to content

MG-61: minimal possible get/list RBAC for ServiceAccount running the Job#264

Draft
swghosh wants to merge 4 commits intoopenshift:masterfrom
swghosh:minimal-rbac
Draft

MG-61: minimal possible get/list RBAC for ServiceAccount running the Job#264
swghosh wants to merge 4 commits intoopenshift:masterfrom
swghosh:minimal-rbac

Conversation

@swghosh
Copy link
Member

@swghosh swghosh commented Aug 25, 2025

experimental ClusterRole with minimally sufficient RBAC privileges to run an ose-must-gather from the Job's Pod.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 25, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 25, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 25, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: swghosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2025
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
@codecov-commenter
Copy link

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.02%. Comparing base (390929e) to head (805cdf7).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #264   +/-   ##
=======================================
  Coverage   38.02%   38.02%           
=======================================
  Files           7        7           
  Lines         476      476           
=======================================
  Hits          181      181           
  Misses        292      292           
  Partials        3        3           

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment on lines 299 to 298
- create # For temporary perf-node-gather-daemonset
- delete # For cleanup of temporary daemonset
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DaemonSet "create/delete" is too risky.

Comment on lines 30 to 32
- apiGroups: [""]
resources:
- pods/exec
verbs:
- create # Required for oc exec
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pods/exec with "create" verb could be risky as well.

Comment on lines 328 to 333
- apiGroups: ["security.openshift.io"]
resources:
- securitycontextconstraints
verbs:
- get
- list
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A "get/list" over the SCC object does not make the cluster-policy-controller to escalate the default security context constraint label on the namespace where Job is run.

@swghosh
Copy link
Member Author

swghosh commented Sep 5, 2025

@coderabbitai full review

@coderabbitai
Copy link

coderabbitai bot commented Sep 5, 2025

✅ Actions performed

Full review triggered.

@coderabbitai
Copy link

coderabbitai bot commented Sep 5, 2025

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Renames the ClusterRole from must-gather-admin to must-gather-minimal, replaces a wildcard-allow rule with granular RBAC across many API groups/resources, adds limited non-resource URL access, and updates corresponding ClusterRoleBindings. Introduces an example ClusterRole manifest mirroring the granular permissions and adjusts the example binding to reference it.

Changes

Cohort / File(s) Summary
Deploy RBAC: ClusterRole overhaul
deploy/05_must-gather-admin.ClusterRole.yaml
Renames ClusterRole to must-gather-minimal and replaces apiGroups/resources/verbs wildcards with explicit rules, mostly get/list, plus targeted create/delete (pods/exec, pods/portforward, temporary perf-node-gather daemonset). Adds restricted nonResourceURLs and specific resourceNames/namespace constraints.
Deploy RBAC: Binding target update
deploy/06_must-gather-admin.ClusterRoleBinding.yaml
Updates roleRef.name from must-gather-admin to must-gather-minimal; other fields unchanged.
Examples: New minimal ClusterRole
examples/other_resources/05_must-gather-minimal.ClusterRole.yaml
Adds example ClusterRole must-gather-minimal mirroring the granular RBAC, including limited nonResourceURLs and targeted create permissions; includes catch-all get for status/scale subresources.
Examples: Binding target update
examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml
Updates roleRef.name to must-gather-minimal; other fields unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 10

♻️ Duplicate comments (3)
examples/other_resources/05_must-gather-minimal.ClusterRole.yaml (1)

286-299: DaemonSet create/delete is high-risk; split into a separate opt-in role

Creating/deleting DaemonSets cluster-wide is powerful and not “minimal.” Prior feedback already flagged this.

Apply this to remove the lifecycle verbs here:

   - daemonsets
   verbs:
     - get
     - list
-    - create  # For temporary perf-node-gather-daemonset
-    - delete  # For cleanup of temporary daemonset

Create a separate ClusterRole (e.g., must-gather-perf) with only apps/daemonsets {create,delete,get,list} that operators can bind temporarily when running the perf gather.

deploy/05_must-gather-admin.ClusterRole.yaml (2)

34-37: pods/portforward comment incorrect; verify actual need

oc cp uses exec, not port-forward. Drop or fix comment and rule if unused.


286-299: DaemonSet create/delete is not minimal

Remove here; create an optional, separate role for perf gather.

🧹 Nitpick comments (11)
examples/other_resources/05_must-gather-minimal.ClusterRole.yaml (5)

34-37: pods/portforward “Required for oc cp” is incorrect; verify necessity

kubectl/oc cp uses exec, not port-forward. If port-forward isn’t actually used by the job, drop this rule; otherwise fix the comment.

Suggested change:

-  - create  # Required for oc cp
+  - create  # Required only if oc port-forward is used

Or remove the whole pods/portforward rule if not needed.


300-306: NonResourceURLs scope is cluster-wide; consider isolating

/metrics and /debug/api_priority_and_fairness/* grant apiserver-wide access. If not mandatory for the baseline gather, move them to a separate optional role and bind only when required.


24-25: Duplicate serviceaccounts rule

serviceaccounts get/list appears twice. Keep one.

Apply either removal:

-  - serviceaccounts

or

- - apiGroups: [""]
-   resources:
-   - serviceaccounts
-   verbs:
-   - get
-   - list

Also applies to: 359-364


286-291: Duplicate coverage of apps/deployments

deployments are granted at 286-291 and again at 380-388. Consolidate to one block.

Apply:

- - apiGroups: ["apps"]
-   resources:
-   - deployments
-   verbs:
-   - get  # To find insights operator deployment

Keep the consolidated apps block later.

Also applies to: 380-388


321-327: users and groups read can expose sensitive identity data

Validate that must-gather truly needs cluster-wide get/list on users and groups. If not essential, remove.

deploy/05_must-gather-admin.ClusterRole.yaml (4)

300-306: NonResourceURLs: consider isolating

Move /metrics and debug endpoints to an optional role if not strictly required.


24-25: Duplicate serviceaccounts rule

Deduplicate.

Also applies to: 359-364


286-291: Duplicate deployments coverage

Consolidate to a single apps block.

Also applies to: 380-388


321-327: users/groups read—validate necessity

Confirm it’s required; otherwise remove to reduce data exposure.

deploy/06_must-gather-admin.ClusterRoleBinding.yaml (1)

7-7: Binding now targets must-gather-minimal—ensure role exists at apply time

Verify deploy order so the ClusterRole is created before this binding; otherwise apply will fail.

You may also consider renaming metadata.name (and the ServiceAccount name) to align with “-minimal” to avoid confusion, keeping a legacy binding only if needed.

examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml (1)

7-7: Example binding points to must-gather-minimal—validate SA/namespace

Ensure the referenced ServiceAccount and namespace match the example deployment, or adjust for clarity.

Optionally rename the binding to must-gather-minimal for consistency.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 390929e and 805cdf7.

📒 Files selected for processing (4)
  • deploy/05_must-gather-admin.ClusterRole.yaml (1 hunks)
  • deploy/06_must-gather-admin.ClusterRoleBinding.yaml (1 hunks)
  • examples/other_resources/05_must-gather-minimal.ClusterRole.yaml (1 hunks)
  • examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml (1 hunks)
🔇 Additional comments (3)
examples/other_resources/05_must-gather-minimal.ClusterRole.yaml (1)

328-334: SCC read-only is fine

get/list on securitycontextconstraints is safe and matches prior guidance that it won’t escalate defaults.

deploy/05_must-gather-admin.ClusterRole.yaml (2)

2-4: Principle-of-least-privilege improvement

Renaming and replacing the wildcard “//*” with granular rules is a solid step toward minimal RBAC.


328-334: SCC read-only is appropriate

LGTM for visibility without escalation.

Comment on lines 18 to 20
- configmaps
- secrets # Limited to service account tokens
- events
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Broad secrets read; tighten

Same concern as the examples file: this grants get/list on all Secrets. Remove and use namespaced Roles + RoleBindings where specific Secrets are needed.

Apply:

   - configmaps
-  - secrets  # Limited to service account tokens
   - events
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- configmaps
- secrets # Limited to service account tokens
- events
# in deploy/05_must-gather-admin.ClusterRole.yaml, around lines 18–20
resources:
- configmaps
- events
🤖 Prompt for AI Agents
In deploy/05_must-gather-admin.ClusterRole.yaml around lines 18 to 20, the
ClusterRole currently grants broad get/list on all Secrets (the "- secrets"
entry); remove that blanket secret permission and instead restrict access by
creating namespaced Roles that grant get/list only on the specific Secret names
required, then bind them with RoleBindings to the service accounts in those
namespaces; if cluster-wide read of certain secrets is truly required, replace
the wildcard with a tightly-scoped rule listing only the exact secret
resourceNames and document why each is necessary.

Comment on lines 45 to 55
resources:
- storageclasses
- volumeattachments
- csidrivers
- csinodes
- volumesnapshotclasses
- volumesnapshotcontents
- csistoragecapacities
verbs:
- get
- list
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix VolumeSnapshot API group

Move volumesnapshot* to snapshot.storage.k8s.io as in prior comment.

🤖 Prompt for AI Agents
In deploy/05_must-gather-admin.ClusterRole.yaml around lines 45-55, the
VolumeSnapshot resources are listed without their API group; change
volumesnapshotclasses and volumesnapshotcontents to include the
snapshot.storage.k8s.io API group (e.g.
volumesnapshotclasses.snapshot.storage.k8s.io and
volumesnapshotcontents.snapshot.storage.k8s.io) so RBAC targets the correct
resources; keep the same verbs.

Comment on lines 75 to 81
- apiGroups: [""]
resources:
- projects # OpenShift namespaces
verbs:
- get
- list
- apiGroups: ["config.openshift.io"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Projects API group correction

Use project.openshift.io for projects.

🤖 Prompt for AI Agents
In deploy/05_must-gather-admin.ClusterRole.yaml around lines 75 to 81, the RBAC
rule currently uses the wrong API group for projects; replace the existing
apiGroups entry (either "" or "config.openshift.io") for the projects resource
with apiGroups: ["project.openshift.io"] so the rule targets the correct
OpenShift projects API, keeping resources: ["projects"] and verbs:
["get","list"] unchanged.

Comment on lines 341 to 352
resources:
- configmaps
- secrets
resourceNames:
- cluster-monitoring-config
- alertmanager-main
verbs:
- get
namespaces:
- openshift-monitoring
- openshift-user-workload-monitoring
- apiGroups: ["*"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Invalid “namespaces” selector in PolicyRule

RBAC PolicyRule doesn’t support namespaces. Use namespaced Roles + RoleBindings.

🤖 Prompt for AI Agents
In deploy/05_must-gather-admin.ClusterRole.yaml around lines 341-352, the
PolicyRule incorrectly includes a "namespaces" selector (RBAC PolicyRule doesn't
support namespaces). Remove the "namespaces" field from this ClusterRole and
instead create two separate namespaced Role objects (one for
openshift-monitoring and one for openshift-user-workload-monitoring) that
contain the same resources/resourceNames/verbs, then create RoleBindings in each
namespace to bind the Role to the appropriate subjects; alternatively, if
cluster-wide access is intended, simply omit the "namespaces" key entirely from
the ClusterRole so only supported fields remain.

Comment on lines 352 to 358
- apiGroups: ["*"]
resources:
- "*/status"
- "*/scale"
verbs:
- get
- apiGroups: [""]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Invalid wildcard subresource patterns

Remove “/status” and “/scale” or enumerate explicit resources.

🤖 Prompt for AI Agents
In deploy/05_must-gather-admin.ClusterRole.yaml around lines 352 to 358, the
ClusterRole uses invalid wildcard subresource patterns ("*/status" and
"*/scale"); remove those wildcard subresources or replace them with explicit
resource/subresource entries (e.g., specify apiGroups and exact resources like
"deployments/status", "deployments/scale", "replicasets/status", etc.) and
ensure apiGroups is set correctly for each entry rather than using a wildcard;
update the resources block to list only valid explicit resource or
resource/subresource strings and adjust apiGroups accordingly.

Comment on lines 18 to 20
- configmaps
- secrets # Limited to service account tokens
- events
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Broad read on secrets; comment is misleading and over-privileged

This grants get/list on all Secrets cluster-wide. The inline note “Limited to service account tokens” is not enforced by RBAC and is incorrect. This is sensitive and exceeds “minimal.”

Apply this diff to drop the broad Secrets read from the core resources block:

   - configmaps
-  - secrets  # Limited to service account tokens
   - events

If you truly need two specific Secrets in monitoring namespaces, model them with namespace-scoped Roles + RoleBindings per namespace instead of a ClusterRole rule. Example (outside this file):

# Role in openshift-monitoring
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: must-gather-monitoring-read
  namespace: openshift-monitoring
rules:
- apiGroups: [""]
  resources: ["configmaps","secrets"]
  resourceNames: ["cluster-monitoring-config","alertmanager-main"]
  verbs: ["get"]

Bind the SA to that Role in each namespace via RoleBinding.

🤖 Prompt for AI Agents
In examples/other_resources/05_must-gather-minimal.ClusterRole.yaml around lines
18-20 the ClusterRole grants get/list on all Secrets (the inline note “Limited
to service account tokens” is misleading and unenforced); remove secrets from
the core resources block to eliminate cluster-wide Secret access and delete the
misleading comment, and if access to specific Secrets in monitoring namespaces
is required, replace the ClusterRole rule with namespace-scoped Roles that list
only the exact resourceNames and bind the service account to those Roles via
RoleBindings in each target namespace.

Comment on lines 352 to 358
- apiGroups: ["*"]
resources:
- "*/status"
- "*/scale"
verbs:
- get
- apiGroups: [""]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Invalid wildcard subresource patterns (“/status”, “/scale”)

RBAC doesn’t support wildcard prefix for resource names with subresources. Enumerate needed resources explicitly (e.g., deployments/scale) or drop this rule if not required.

Apply:

- - apiGroups: ["*"]
-   resources:
-   - "*/status"
-   - "*/scale"
-   verbs:
-   - get

If you need scale for specific workloads, add explicit rules like apps/deployments/scale: get.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- apiGroups: ["*"]
resources:
- "*/status"
- "*/scale"
verbs:
- get
- apiGroups: [""]
- apiGroups: [""]
🤖 Prompt for AI Agents
In examples/other_resources/05_must-gather-minimal.ClusterRole.yaml around lines
352-358, the ClusterRole uses invalid wildcard subresource patterns ("*/status",
"*/scale") which RBAC does not support; replace these wildcard subresource
entries by either removing the subresource rule entirely if not needed or
enumerating explicit resource/subresource pairs with correct apiGroups (for
example add resources like "deployments/scale" under apiGroups: ["apps"] and
"pods/status" under apiGroups: [""] as required), ensure apiGroups lines
correspond to each explicit resource, and update verbs as needed (e.g., get for
scale/status).

@swghosh swghosh force-pushed the minimal-rbac branch 2 times, most recently from b0c5725 to ca97b2f Compare September 11, 2025 16:37
and rm secrets access

Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
for must-gather-minimal CR, CRB

Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
@swghosh
Copy link
Member Author

swghosh commented Sep 11, 2025

using the must-gather-minimal ClusterRole applied (per https://github.com/swghosh/must-gather-operator/blob/ae6d67944b3b2e2c3c6e2a23038d50833018fec0/deploy/05_must-gather-admin.ClusterRole.yaml),
gather was able to work

Details pod logs from gather container

gather image: registry.redhat.io/openshift4/ose-must-gather-rhel9@sha256:16c67cfcae221ea9db9dcfce1c2efc0a6bfcdcff1c589513d7826cd91c37ca11 (v4.19)

+ /usr/bin/gather
Gathering data for ns/openshift-cluster-version...
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
Gathering data for ns/default...
Gathering data for ns/openshift...
Gathering data for ns/kube-system...
Gathering data for ns/openshift-etcd...
Wrote inspect data to must-gather.
error: inspection completed with the errors occurred while gathering data:
    [namespaces "assisted-installer" not found, secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-cluster-version", secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "default", secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift", secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "kube-system", secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-etcd"]
Waiting on subprocesses to finish execution.
WARNING: Collecting one or more kube-apiserver related logs on ALL masters in your cluster. This could take a large amount of time.
INFO: Gathering machine config daemon's old logs from all nodes
INFO: Gathering on-disk MachineConfig from degraded nodes
INFO: Collecting host service logs for crio
INFO: Collecting host service logs for kubelet
INFO: Collecting host service logs for rpm-ostreed
INFO: Collecting host service logs for ostree-finalize-staged
INFO: Collecting host service logs for machine-config-daemon-firstboot
INFO: Collecting host service logs for machine-config-daemon-host
INFO: Collecting host service logs for NetworkManager
INFO: Collecting host service logs for openvswitch
INFO: Gathering HAProxy config files
INFO: Collecting host service logs for ovs-configuration
INFO: Collecting host service logs for ovsdb-server
INFO: Collecting host service logs for ovs-vswitchd
INFO: Waiting for worker host service log collection to complete ...
INFO: Waiting for node performance related collection to complete ...
INFO: "kubernetes-nmstate-operator" not detected. Skipping.
Wrote inspect data to must-gather.
error: the server doesn't have a resource type "performanceprofile"
INFO: "metallb-operator" not detected. Skipping.
No resources found
Wrote inspect data to must-gather.
INFO: Waiting for HAProxy config collection to complete ...
Wrote inspect data to must-gather.
Gathering data for ns/openshift-config...
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
INFO: Collecting Insights Archives from 
Gathering data for ns/openshift-config-managed...
INFO: Started  downloading kube-apiserver/termination.log from crc
No resources found
INFO: namespace openshift-frr-k8s not detected. Skipping.
INFO: Waiting for on-disk MachineConfig collection to complete ...
INFO: on-disk MachineConfig config collection complete.
Wrote inspect data to must-gather.
error: the server doesn't have a resource type "multi-networkpolicy"
tar: Removing leading `/' from member names
INFO: HAProxy config collection complete.
Wrote inspect data to must-gather.
Gathering data for ns/openshift-authentication...
error: resource name may not be empty
INFO: "sriov-network-operator" not detected. Skipping.
INFO: Finished downloading kube-apiserver/termination.log from crc
INFO: Found 1 replicas - prometheus-k8s-0
Wrote inspect data to must-gather.
Getting information from pod "etcd-crc", container "etcdctl"
Using endpoints: https://192.168.126.11:2379
INFO: Starting getting etcd information
INFO: Getting etcdctl member list
INFO: Getting etcdctl endpoint status
INFO: Getting etcdctl endpoint health
INFO: Getting etcdctl alarm list
INFO: Getting object count
INFO: Waiting for etcd info collection to complete ...
Wrote inspect data to must-gather.
Gathering data for ns/openshift-authentication-operator...
INFO: Waiting for Machine Config Daemon termination log collection to complete ...
INFO: Getting alertmanagers from prometheus-k8s-0
Wrote inspect data to must-gather.
INFO: Machine Config Daemon termination log collection complete.
W0911 17:12:16.584090    1043 util.go:195] skipping , failed to read event err: Object 'Kind' is missing in ''
Wrote inspect data to must-gather.
INFO: Collecting /debug/api_priority_and_fairness endpoint from kube-apiserver-crc
INFO: Done collecting etcd information
Gathering data for ns/openshift-ingress...
Wrote inspect data to must-gather.
Wrote inspect data to must-gather.
INFO: Getting rules from prometheus-k8s-0
Gathering data for ns/openshift-oauth-apiserver...
Wrote inspect data to must-gather.
INFO: INTERCONNECT MODE
INFO: Gathering ovn-kubernetes DBs
Gathering data for ns/openshift-machine-api...
INFO: Getting status/config from prometheus-k8s-0
INFO: Gathering OVN_Northbound from ovnkube-node-sd7nm...
INFO: Gathering OVN_Southbound from ovnkube-node-sd7nm...
Wrote inspect data to must-gather.
tar: Removing leading `/' from member names
Gathering data for ns/openshift-config-operator...
tar: Removing leading `/' from member names
INFO: Waiting for network log collection to complete ...
INFO: Waiting for ovnk database copies to complete ...
INFO: Copying ovnk databases complete.
14M	must-gather/network_logs/ovnk_database_store
error: the server doesn't have a resource type "tuneds"
ovnk_database_store/
ovnk_database_store/ovnkube-node-sd7nm_sbdb
INFO: Getting status/flags from prometheus-k8s-0
Gathering data for ns/openshift-console-operator...
ovnk_database_store/ovnkube-node-sd7nm_nbdb
INFO: Getting status/runtimeinfo from prometheus-k8s-0
Wrote inspect data to must-gather.
INFO: Network log collection complete.
Gathering data for ns/openshift-console...
INFO: Getting targets?state=active from prometheus-k8s-0
Wrote inspect data to must-gather.
INFO: Getting status/tsdb from prometheus-k8s-0
Gathering data for ns/openshift-dns-operator...
Wrote inspect data to must-gather.
Gathering data for ns/openshift-dns...
Wrote inspect data to must-gather.
INFO: Getting status from alertmanager-main-0
Gathering data for ns/openshift-etcd-operator...
error: the server doesn't have a resource type "machineconfignodes"
Gathering data for ns/openshift-etcd...
error: the server doesn't have a resource type "pinnedimagesets"
Error from server (NotFound): namespaces "openshift-cluster-node-tuning-operator" not found
Gathering data for ns/openshift-image-registry...
INFO: Fallback to identify the container image from release info
Gathering data for ns/openshift-ingress-operator...
Gathering data for ns/openshift-ingress-canary...
Gathering data for ns/openshift-monitoring...
INFO: Worker host service log collection to complete.
Gathering data for ns/openshift-kube-apiserver-operator...
Gathering data for ns/openshift-kube-apiserver...
Gathering data for ns/openshift-multus...
Gathering data for ns/openshift-kube-controller-manager...
Gathering data for ns/openshift-kube-controller-manager-operator...
Gathering data for ns/kube-system...
Gathering data for ns/openshift-kube-scheduler...
Gathering data for ns/openshift-kube-scheduler-operator...
Gathering data for ns/openshift-kube-storage-version-migrator...
Gathering data for ns/openshift-kube-storage-version-migrator-operator...
Gathering data for ns/openshift-cluster-machine-approver...
Gathering data for ns/openshift-machine-config-operator...
Gathering data for ns/openshift-kni-infra...
Gathering data for ns/openshift-openstack-infra...
Gathering data for ns/openshift-ovirt-infra...
Gathering data for ns/openshift-vsphere-infra...
Gathering data for ns/openshift-nutanix-infra...
Gathering data for ns/openshift-cloud-platform-infra...
Gathering data for ns/openshift-marketplace...
Gathering data for ns/openshift-user-workload-monitoring...
Gathering data for ns/openshift-ovn-kubernetes...
Gathering data for ns/openshift-host-network...
Gathering data for ns/openshift-network-diagnostics...
Gathering data for ns/openshift-network-node-identity...
Gathering data for ns/openshift-network-console...
Gathering data for ns/openshift-network-operator...
Gathering data for ns/openshift-cloud-network-config-controller...
Gathering data for ns/openshift-apiserver-operator...
Gathering data for ns/openshift-apiserver...
Gathering data for ns/openshift-controller-manager-operator...
Gathering data for ns/openshift-controller-manager...
Gathering data for ns/openshift-route-controller-manager...
Gathering data for ns/openshift-cluster-samples-operator...
Gathering data for ns/openshift-operator-lifecycle-manager...
Gathering data for ns/openshift-service-ca-operator...
Gathering data for ns/openshift-service-ca...
Wrote inspect data to must-gather.
error: inspection completed with the errors occurred while gathering data:
    [skipping gathering namespaces/openshift-config due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-config", skipping gathering namespaces/openshift-config-managed due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-config-managed", skipping gathering namespaces/openshift-authentication due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-authentication", skipping gathering namespaces/openshift-authentication-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-authentication-operator", skipping gathering namespaces/openshift-ingress due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-ingress", skipping gathering namespaces/openshift-oauth-apiserver due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-oauth-apiserver", skipping gathering machineautoscalers.autoscaling.openshift.io due to error: machineautoscalers.autoscaling.openshift.io is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "machineautoscalers" in API group "autoscaling.openshift.io" in the namespace "openshift-machine-api", skipping gathering clusterautoscalers.autoscaling.openshift.io due to error: clusterautoscalers.autoscaling.openshift.io is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "clusterautoscalers" in API group "autoscaling.openshift.io" at the cluster scope, skipping gathering namespaces/openshift-machine-api due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-machine-api", skipping gathering namespaces/openshift-config-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-config-operator", skipping gathering namespaces/openshift-console-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-console-operator", skipping gathering namespaces/openshift-console due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-console", skipping gathering namespaces/openshift-dns-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-dns-operator", skipping gathering namespaces/openshift-dns due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-dns", skipping gathering namespaces/openshift-etcd-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-etcd-operator", skipping gathering namespaces/openshift-etcd due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-etcd", skipping gathering namespaces/openshift-image-registry due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-image-registry", skipping gathering namespaces/openshift-ingress-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-ingress-operator", skipping gathering namespaces/openshift-ingress-canary due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-ingress-canary", skipping gathering customresourcedefinitions.apiextensions.k8s.io due to error: skipping gathering namespaces/openshift-monitoring due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-monitoring", skipping gathering namespaces/openshift-kube-apiserver-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-apiserver-operator", skipping gathering namespaces/openshift-kube-apiserver due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-apiserver", skipping gathering validatingwebhookconfigurations.admissionregistration.k8s.io due to error: skipping gathering namespaces/openshift-multus due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-multus", skipping gathering namespaces/openshift-kube-controller-manager due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-controller-manager", skipping gathering namespaces/openshift-kube-controller-manager-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-controller-manager-operator", skipping gathering namespaces/kube-system due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "kube-system", skipping gathering namespaces/openshift-kube-scheduler due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-scheduler", skipping gathering namespaces/openshift-kube-scheduler-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-scheduler-operator", skipping gathering namespaces/openshift-kube-storage-version-migrator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-storage-version-migrator", skipping gathering namespaces/openshift-kube-storage-version-migrator-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kube-storage-version-migrator-operator", skipping gathering baremetalhosts.metal3.io due to error: the server doesn't have a resource type "baremetalhosts", skipping gathering namespaces/openshift-cluster-machine-approver due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-cluster-machine-approver", skipping gathering namespaces/openshift-machine-config-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-machine-config-operator", skipping gathering namespaces/openshift-kni-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-kni-infra", skipping gathering namespaces/openshift-openstack-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-openstack-infra", skipping gathering namespaces/openshift-ovirt-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-ovirt-infra", skipping gathering namespaces/openshift-vsphere-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-vsphere-infra", skipping gathering namespaces/openshift-nutanix-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-nutanix-infra", skipping gathering namespaces/openshift-cloud-platform-infra due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-cloud-platform-infra", skipping gathering namespaces/openshift-marketplace due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-marketplace", skipping gathering namespaces/openshift-user-workload-monitoring due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-user-workload-monitoring", skipping gathering podmonitors.monitoring.coreos.com due to error: podmonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "podmonitors" in API group "monitoring.coreos.com" at the cluster scope, skipping gathering prometheusrules.monitoring.coreos.com due to error: prometheusrules.monitoring.coreos.com is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "prometheusrules" in API group "monitoring.coreos.com" at the cluster scope, skipping gathering thanosrulers.monitoring.coreos.com due to error: thanosrulers.monitoring.coreos.com is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "thanosrulers" in API group "monitoring.coreos.com" at the cluster scope, skipping gathering alertmanagerconfigs.monitoring.coreos.com due to error: alertmanagerconfigs.monitoring.coreos.com is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "alertmanagerconfigs" in API group "monitoring.coreos.com" at the cluster scope, skipping gathering prometheusrules.monitoring.coreos.com/prometheus-k8s-rules due to error: prometheusrules.monitoring.coreos.com "prometheus-k8s-rules" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "openshift-multus", skipping gathering namespaces/openshift-ovn-kubernetes due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-ovn-kubernetes", skipping gathering operatorpkis.network.operator.openshift.io/ovn due to error: operatorpkis.network.operator.openshift.io "ovn" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "operatorpkis" in API group "network.operator.openshift.io" in the namespace "openshift-ovn-kubernetes", skipping gathering operatorpkis.network.operator.openshift.io/signer due to error: operatorpkis.network.operator.openshift.io "signer" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "operatorpkis" in API group "network.operator.openshift.io" in the namespace "openshift-ovn-kubernetes", skipping gathering prometheusrules.monitoring.coreos.com/master-rules due to error: prometheusrules.monitoring.coreos.com "master-rules" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "openshift-ovn-kubernetes", skipping gathering prometheusrules.monitoring.coreos.com/networking-rules due to error: prometheusrules.monitoring.coreos.com "networking-rules" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "openshift-ovn-kubernetes", skipping gathering namespaces/openshift-host-network due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-host-network", skipping gathering validatingadmissionpolicies.admissionregistration.k8s.io/user-defined-networks-namespace-label due to error: validatingadmissionpolicies.admissionregistration.k8s.io "user-defined-networks-namespace-label" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "validatingadmissionpolicies" in API group "admissionregistration.k8s.io" at the cluster scope, skipping gathering validatingadmissionpolicybindings.admissionregistration.k8s.io/user-defined-networks-namespace-label-binding due to error: validatingadmissionpolicybindings.admissionregistration.k8s.io "user-defined-networks-namespace-label-binding" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "validatingadmissionpolicybindings" in API group "admissionregistration.k8s.io" at the cluster scope, skipping gathering namespaces/openshift-network-diagnostics due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-network-diagnostics", skipping gathering namespaces/openshift-network-node-identity due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-network-node-identity", skipping gathering operatorpkis.network.operator.openshift.io/network-node-identity due to error: operatorpkis.network.operator.openshift.io "network-node-identity" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "operatorpkis" in API group "network.operator.openshift.io" in the namespace "openshift-network-node-identity", skipping gathering prometheusrules.monitoring.coreos.com/openshift-network-operator-ipsec-rules due to error: prometheusrules.monitoring.coreos.com "openshift-network-operator-ipsec-rules" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "prometheusrules" in API group "monitoring.coreos.com" in the namespace "openshift-network-operator", skipping gathering namespaces/openshift-network-console due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-network-console", skipping gathering namespaces/openshift-network-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-network-operator", skipping gathering namespaces/openshift-cloud-network-config-controller due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-cloud-network-config-controller", skipping gathering openshiftapiservers.operator.openshift.io/cluster due to error: openshiftapiservers.operator.openshift.io "cluster" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "openshiftapiservers" in API group "operator.openshift.io" at the cluster scope, skipping gathering namespaces/openshift-apiserver-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-apiserver-operator", skipping gathering namespaces/openshift-apiserver due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-apiserver", skipping gathering endpoints/host-etcd-2 due to error: endpoints "host-etcd-2" not found, skipping gathering openshiftcontrollermanagers.operator.openshift.io/cluster due to error: openshiftcontrollermanagers.operator.openshift.io "cluster" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "openshiftcontrollermanagers" in API group "operator.openshift.io" at the cluster scope, skipping gathering namespaces/openshift-controller-manager-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-controller-manager-operator", skipping gathering namespaces/openshift-controller-manager due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-controller-manager", skipping gathering namespaces/openshift-route-controller-manager due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-route-controller-manager", skipping gathering configs.samples.operator.openshift.io/cluster due to error: configs.samples.operator.openshift.io "cluster" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "configs" in API group "samples.operator.openshift.io" at the cluster scope, skipping gathering namespaces/openshift-cluster-samples-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-cluster-samples-operator", skipping gathering namespaces/openshift-operator-lifecycle-manager due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-operator-lifecycle-manager", skipping gathering servicecas.operator.openshift.io/cluster due to error: servicecas.operator.openshift.io "cluster" is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot get resource "servicecas" in API group "operator.openshift.io" at the cluster scope, skipping gathering namespaces/openshift-service-ca-operator due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-service-ca-operator", skipping gathering namespaces/openshift-service-ca due to error: secrets is forbidden: User "system:serviceaccount:must-gather-operator:must-gather-admin" cannot list resource "secrets" in API group "" in the namespace "openshift-service-ca"]
INFO: Image with low level tools to use: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5414c1f82ce353599186b5fd0f0f54fc87ede939f435d57b68fa73483f089546
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostPID=true), allowPrivilegeEscalation != false (container "node-probe" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-probe" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "sys", "proc", "lib-modules", "podres" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "node-probe" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "node-probe" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
daemonset.apps/perf-node-gather-daemonset created
Waiting for performance profile collector pods to become ready: 1
Waiting for performance profile collector pods to become ready: 2
Waiting for performance profile collector pods to become ready: 3
Waiting for performance profile collector pods to become ready: 4
Waiting for performance profile collector pods to become ready: 5
Waiting for performance profile collector pods to become ready: 6
Waiting for performance profile collector pods to become ready: 7
Waiting for performance profile collector pods to become ready: 8
Waiting for performance profile collector pods to become ready: 9
Waiting for performance profile collector pods to become ready: 10
Waiting for performance profile collector pods to become ready: 11
Waiting for performance profile collector pods to become ready: 12
Waiting for performance profile collector pods to become ready: 13
Waiting for performance profile collector pods to become ready: 14
Waiting for performance profile collector pods to become ready: 15
Waiting for performance profile collector pods to become ready: 16
Waiting for performance profile collector pods to become ready: 17
Waiting for performance profile collector pods to become ready: 18
Waiting for performance profile collector pods to become ready: 19
Waiting for performance profile collector pods to become ready: 20
Waiting for performance profile collector pods to become ready: 21
Waiting for performance profile collector pods to become ready: 22
Waiting for performance profile collector pods to become ready: 23
Waiting for performance profile collector pods to become ready: 24
Waiting for performance profile collector pods to become ready: 25
Waiting for performance profile collector pods to become ready: 26
Waiting for performance profile collector pods to become ready: 27
Waiting for performance profile collector pods to become ready: 28
Waiting for performance profile collector pods to become ready: 29
Waiting for performance profile collector pods to become ready: 30
Waiting for performance profile collector pods to become ready: 31
Waiting for performance profile collector pods to become ready: 32
Waiting for performance profile collector pods to become ready: 33
Waiting for performance profile collector pods to become ready: 34
Waiting for performance profile collector pods to become ready: 35
Waiting for performance profile collector pods to become ready: 36
Waiting for performance profile collector pods to become ready: 37
Waiting for performance profile collector pods to become ready: 38
Waiting for performance profile collector pods to become ready: 39
Waiting for performance profile collector pods to become ready: 40
Waiting for performance profile collector pods to become ready: 41
Waiting for performance profile collector pods to become ready: 42
Waiting for performance profile collector pods to become ready: 43
Waiting for performance profile collector pods to become ready: 44
Waiting for performance profile collector pods to become ready: 45
Waiting for performance profile collector pods to become ready: 46
Waiting for performance profile collector pods to become ready: 47
Waiting for performance profile collector pods to become ready: 48
Waiting for performance profile collector pods to become ready: 49
Waiting for performance profile collector pods to become ready: 50
Waiting for performance profile collector pods to become ready: 51
Waiting for performance profile collector pods to become ready: 52
Waiting for performance profile collector pods to become ready: 53
Waiting for performance profile collector pods to become ready: 54
Waiting for performance profile collector pods to become ready: 55
Waiting for performance profile collector pods to become ready: 56
Waiting for performance profile collector pods to become ready: 57
Waiting for performance profile collector pods to become ready: 58
Waiting for performance profile collector pods to become ready: 59
Waiting for performance profile collector pods to become ready: 60
Waiting for performance profile collector pods to become ready: 61
Waiting for performance profile collector pods to become ready: 62
Waiting for performance profile collector pods to become ready: 63
Waiting for performance profile collector pods to become ready: 64
Waiting for performance profile collector pods to become ready: 65
Waiting for performance profile collector pods to become ready: 66
Waiting for performance profile collector pods to become ready: 67
Waiting for performance profile collector pods to become ready: 68
Waiting for performance profile collector pods to become ready: 69
Waiting for performance profile collector pods to become ready: 70
Waiting for performance profile collector pods to become ready: 71
Waiting for performance profile collector pods to become ready: 72
Waiting for performance profile collector pods to become ready: 73
Waiting for performance profile collector pods to become ready: 74
Waiting for performance profile collector pods to become ready: 75
Waiting for performance profile collector pods to become ready: 76
Waiting for performance profile collector pods to become ready: 77
Waiting for performance profile collector pods to become ready: 78
Waiting for performance profile collector pods to become ready: 79
Waiting for performance profile collector pods to become ready: 80
Waiting for performance profile collector pods to become ready: 81
Waiting for performance profile collector pods to become ready: 82
Waiting for performance profile collector pods to become ready: 83
Waiting for performance profile collector pods to become ready: 84
Waiting for performance profile collector pods to become ready: 85
Waiting for performance profile collector pods to become ready: 86
Waiting for performance profile collector pods to become ready: 87
Waiting for performance profile collector pods to become ready: 88
Waiting for performance profile collector pods to become ready: 89
Waiting for performance profile collector pods to become ready: 90
Waiting for performance profile collector pods to become ready: 91
Waiting for performance profile collector pods to become ready: 92
Waiting for performance profile collector pods to become ready: 93
Waiting for performance profile collector pods to become ready: 94
Waiting for performance profile collector pods to become ready: 95
Waiting for performance profile collector pods to become ready: 96
Waiting for performance profile collector pods to become ready: 97
Waiting for performance profile collector pods to become ready: 98
Waiting for performance profile collector pods to become ready: 99
Waiting for performance profile collector pods to become ready: 100
Waiting for performance profile collector pods to become ready: 101
Waiting for performance profile collector pods to become ready: 102
Waiting for performance profile collector pods to become ready: 103
Waiting for performance profile collector pods to become ready: 104
Waiting for performance profile collector pods to become ready: 105
Waiting for performance profile collector pods to become ready: 106
Waiting for performance profile collector pods to become ready: 107
Waiting for performance profile collector pods to become ready: 108
Waiting for performance profile collector pods to become ready: 109
Waiting for performance profile collector pods to become ready: 110
Waiting for performance profile collector pods to become ready: 111
Waiting for performance profile collector pods to become ready: 112
Waiting for performance profile collector pods to become ready: 113
Waiting for performance profile collector pods to become ready: 114
Waiting for performance profile collector pods to become ready: 115
Waiting for performance profile collector pods to become ready: 116
Waiting for performance profile collector pods to become ready: 117
Waiting for performance profile collector pods to become ready: 118
Waiting for performance profile collector pods to become ready: 119
Waiting for performance profile collector pods to become ready: 120
Waiting for performance profile collector pods to become ready: 121
Waiting for performance profile collector pods to become ready: 122
Waiting for performance profile collector pods to become ready: 123
Waiting for performance profile collector pods to become ready: 124
Waiting for performance profile collector pods to become ready: 125
Waiting for performance profile collector pods to become ready: 126
Waiting for performance profile collector pods to become ready: 127
Waiting for performance profile collector pods to become ready: 128
Waiting for performance profile collector pods to become ready: 129
Waiting for performance profile collector pods to become ready: 130
Waiting for performance profile collector pods to become ready: 131
Waiting for performance profile collector pods to become ready: 132
Waiting for performance profile collector pods to become ready: 133
Waiting for performance profile collector pods to become ready: 134
Waiting for performance profile collector pods to become ready: 135
Waiting for performance profile collector pods to become ready: 136
Waiting for performance profile collector pods to become ready: 137
Waiting for performance profile collector pods to become ready: 138
Waiting for performance profile collector pods to become ready: 139
Waiting for performance profile collector pods to become ready: 140
Waiting for performance profile collector pods to become ready: 141
Waiting for performance profile collector pods to become ready: 142
Waiting for performance profile collector pods to become ready: 143
Waiting for performance profile collector pods to become ready: 144
Waiting for performance profile collector pods to become ready: 145
Waiting for performance profile collector pods to become ready: 146
Waiting for performance profile collector pods to become ready: 147
Waiting for performance profile collector pods to become ready: 148
Waiting for performance profile collector pods to become ready: 149
Waiting for performance profile collector pods to become ready: 150
Waiting for performance profile collector pods to become ready: 151
Waiting for performance profile collector pods to become ready: 152
Waiting for performance profile collector pods to become ready: 153
Waiting for performance profile collector pods to become ready: 154
Waiting for performance profile collector pods to become ready: 155
Waiting for performance profile collector pods to become ready: 156
Waiting for performance profile collector pods to become ready: 157
Waiting for performance profile collector pods to become ready: 158
Waiting for performance profile collector pods to become ready: 159
Waiting for performance profile collector pods to become ready: 160
Waiting for performance profile collector pods to become ready: 161
Waiting for performance profile collector pods to become ready: 162
Waiting for performance profile collector pods to become ready: 163
Waiting for performance profile collector pods to become ready: 164
Waiting for performance profile collector pods to become ready: 165
Waiting for performance profile collector pods to become ready: 166
Waiting for performance profile collector pods to become ready: 167
Waiting for performance profile collector pods to become ready: 168
Waiting for performance profile collector pods to become ready: 169
Waiting for performance profile collector pods to become ready: 170
Waiting for performance profile collector pods to become ready: 171
Waiting for performance profile collector pods to become ready: 172
Waiting for performance profile collector pods to become ready: 173
Waiting for performance profile collector pods to become ready: 174
Waiting for performance profile collector pods to become ready: 175
Waiting for performance profile collector pods to become ready: 176
Waiting for performance profile collector pods to become ready: 177
Waiting for performance profile collector pods to become ready: 178
Waiting for performance profile collector pods to become ready: 179
Waiting for performance profile collector pods to become ready: 180
Waiting for performance profile collector pods to become ready: 181
Waiting for performance profile collector pods to become ready: 182
Waiting for performance profile collector pods to become ready: 183
Waiting for performance profile collector pods to become ready: 184
Waiting for performance profile collector pods to become ready: 185
Waiting for performance profile collector pods to become ready: 186
Waiting for performance profile collector pods to become ready: 187
Waiting for performance profile collector pods to become ready: 188
Waiting for performance profile collector pods to become ready: 189
Waiting for performance profile collector pods to become ready: 190
Waiting for performance profile collector pods to become ready: 191
Waiting for performance profile collector pods to become ready: 192
Waiting for performance profile collector pods to become ready: 193
Waiting for performance profile collector pods to become ready: 194
Waiting for performance profile collector pods to become ready: 195
Waiting for performance profile collector pods to become ready: 196
Waiting for performance profile collector pods to become ready: 197
Waiting for performance profile collector pods to become ready: 198
Waiting for performance profile collector pods to become ready: 199
Waiting for performance profile collector pods to become ready: 200
Waiting for performance profile collector pods to become ready: 201
Waiting for performance profile collector pods to become ready: 202
Waiting for performance profile collector pods to become ready: 203
Waiting for performance profile collector pods to become ready: 204
Waiting for performance profile collector pods to become ready: 205
Waiting for performance profile collector pods to become ready: 206
Waiting for performance profile collector pods to become ready: 207
Waiting for performance profile collector pods to become ready: 208
Waiting for performance profile collector pods to become ready: 209
Waiting for performance profile collector pods to become ready: 210
Waiting for performance profile collector pods to become ready: 211
Waiting for performance profile collector pods to become ready: 212
Waiting for performance profile collector pods to become ready: 213
Waiting for performance profile collector pods to become ready: 214
Waiting for performance profile collector pods to become ready: 215
Waiting for performance profile collector pods to become ready: 216
Waiting for performance profile collector pods to become ready: 217
Waiting for performance profile collector pods to become ready: 218
Waiting for performance profile collector pods to become ready: 219
Waiting for performance profile collector pods to become ready: 220
Waiting for performance profile collector pods to become ready: 221
Waiting for performance profile collector pods to become ready: 222
Waiting for performance profile collector pods to become ready: 223
Waiting for performance profile collector pods to become ready: 224
Waiting for performance profile collector pods to become ready: 225
Waiting for performance profile collector pods to become ready: 226
Waiting for performance profile collector pods to become ready: 227
Waiting for performance profile collector pods to become ready: 228
Waiting for performance profile collector pods to become ready: 229
Waiting for performance profile collector pods to become ready: 230
Waiting for performance profile collector pods to become ready: 231
Waiting for performance profile collector pods to become ready: 232
Waiting for performance profile collector pods to become ready: 233
Waiting for performance profile collector pods to become ready: 234
Waiting for performance profile collector pods to become ready: 235
Waiting for performance profile collector pods to become ready: 236
Waiting for performance profile collector pods to become ready: 237
Waiting for performance profile collector pods to become ready: 238
Waiting for performance profile collector pods to become ready: 239
Waiting for performance profile collector pods to become ready: 240
Waiting for performance profile collector pods to become ready: 241
Waiting for performance profile collector pods to become ready: 242
Waiting for performance profile collector pods to become ready: 243
Waiting for performance profile collector pods to become ready: 244
Waiting for performance profile collector pods to become ready: 245
Waiting for performance profile collector pods to become ready: 246
Waiting for performance profile collector pods to become ready: 247
Waiting for performance profile collector pods to become ready: 248
Waiting for performance profile collector pods to become ready: 249
Waiting for performance profile collector pods to become ready: 250
Waiting for performance profile collector pods to become ready: 251
Waiting for performance profile collector pods to become ready: 252
Waiting for performance profile collector pods to become ready: 253
Waiting for performance profile collector pods to become ready: 254
Waiting for performance profile collector pods to become ready: 255
Waiting for performance profile collector pods to become ready: 256
Waiting for performance profile collector pods to become ready: 257
Waiting for performance profile collector pods to become ready: 258
Waiting for performance profile collector pods to become ready: 259
Waiting for performance profile collector pods to become ready: 260
Waiting for performance profile collector pods to become ready: 261
Waiting for performance profile collector pods to become ready: 262
Waiting for performance profile collector pods to become ready: 263
Waiting for performance profile collector pods to become ready: 264
Waiting for performance profile collector pods to become ready: 265
Waiting for performance profile collector pods to become ready: 266
Waiting for performance profile collector pods to become ready: 267
Waiting for performance profile collector pods to become ready: 268
Waiting for performance profile collector pods to become ready: 269
Waiting for performance profile collector pods to become ready: 270
Waiting for performance profile collector pods to become ready: 271
Waiting for performance profile collector pods to become ready: 272
Waiting for performance profile collector pods to become ready: 273
Waiting for performance profile collector pods to become ready: 274
Waiting for performance profile collector pods to become ready: 275
Waiting for performance profile collector pods to become ready: 276
Waiting for performance profile collector pods to become ready: 277
Waiting for performance profile collector pods to become ready: 278
Waiting for performance profile collector pods to become ready: 279
Waiting for performance profile collector pods to become ready: 280
Waiting for performance profile collector pods to become ready: 281
Waiting for performance profile collector pods to become ready: 282
Waiting for performance profile collector pods to become ready: 283
Waiting for performance profile collector pods to become ready: 284
Waiting for performance profile collector pods to become ready: 285
Waiting for performance profile collector pods to become ready: 286
Waiting for performance profile collector pods to become ready: 287
Waiting for performance profile collector pods to become ready: 288
Waiting for performance profile collector pods to become ready: 289
Waiting for performance profile collector pods to become ready: 290
Waiting for performance profile collector pods to become ready: 291
Waiting for performance profile collector pods to become ready: 292
Waiting for performance profile collector pods to become ready: 293
Waiting for performance profile collector pods to become ready: 294
Waiting for performance profile collector pods to become ready: 295
Waiting for performance profile collector pods to become ready: 296
Waiting for performance profile collector pods to become ready: 297
Waiting for performance profile collector pods to become ready: 298
Waiting for performance profile collector pods to become ready: 299
Waiting for performance profile collector pods to become ready: 300
daemonset.apps "perf-node-gather-daemonset" deleted
INFO: Node performance data collection complete.
error: the server doesn't have a resource type "clusters"

notably a possible restricted SCC violation occurs:

Warning: would violate PodSecurity "restricted:latest": host namespaces (hostPID=true), allowPrivilegeEscalation != false (container "node-probe" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-probe" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "sys", "proc", "lib-modules", "podres" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "node-probe" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "node-probe" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
daemonset.apps/perf-node-gather-daemonset created

@swghosh swghosh changed the title minimal possible get/list RBAC for ServiceAccount running the Job MG-61: minimal possible get/list RBAC for ServiceAccount running the Job Sep 11, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 11, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 11, 2025

@swghosh: This pull request references MG-61 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

Details

In response to this:

experimental ClusterRole with minimally sufficient RBAC privileges to run an ose-must-gather from the Job's Pod.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 24, 2025

@swghosh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-operator ae6d679 link true /test e2e-gcp-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments