-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[openstack-cloud-controller-manager] Serviceaccount cannot patch resource "services" #1722
Comments
opening this to track the problem as this is first time I saw this kind of issue |
"system:serviceaccount:kube-system:cloud-provider-openstack\" cannot patch resource \"services\" in API group \"\" in the namespace \"default\
Hello, I'm still seeing this error with the release-1.23 version (
The daemonset is using the service account
which has the following ClusterRole / ClusterRoleBinding:
In particular the ClusterRole has this part, so it should be allowed to modify services in all namespaces:
Since the controller is running witht the service account "openstack-cloud-controller-manager", I don't understand why it identifies itself as "system:serviceaccount:kube-system:cloud-controller-manager" (especially since it's NOT running in the kube-system namespace). /ping @lingxiankong @jichenjc |
@jacksgt Which namespace is the openstack-cloud-controller-manager deployed? |
Hi, it's deployed in the `openshift-cern-cloud-controller`. OCCM V1.20 was also deployed in the same namespace.
On 26 February 2022 23:56:40 CET, Lingxian Kong ***@***.***> wrote:
***@***.*** Which namespace is the openstack-cloud-controller-manager deployed?
…
--
Reply to this email directly or view it on GitHub:
#1722 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
Since the |
Hi Lingxian, To my understanding, Why would OCCM now use a different service account (in a different namespace). Is this a breaking change / regression? |
I remember this change was added together with the shared load balancer feature support. However, keep in mind that setting the You can try to set |
Thank you for the explanation! I understood now. As you suggested, I tried setting
I had to slightly modify the Helm chart for the required permissions and submitted a PR here: #1802 |
How are you setting It seems like it is hard-coded in the Helm chart here: https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/templates/daemonset.yaml#L43 |
@mkjpryor You can specify additional arguments with controllerExtraArgs:
- "--use-service-account-credentials=false" |
The default setting of the openstack-cloud-controller-manager uses two different service accounts with differing permissions. This leads to issues, especially when creating load-balancer services, where the wrong serivce account is used and consequently not allowed to do the things required to actually make things work. This is a workaround that forces the openstack-cloud-controller-manager to just use one single service account, which makes things work again. Fixes: Error syncing load balancer: failed to ensure load balancer: failed to patch service object ingress-nginx/ingress-nginx-controller: services "ingress-nginx-controller" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "ingress-nginx" References: - kubernetes/cloud-provider-openstack#2049 - kubernetes/cloud-provider-openstack#1722
…credentials (#412) The default setting of the openstack-cloud-controller-manager uses two different service accounts with differing permissions. This leads to issues, especially when creating load-balancer services, where the wrong serivce account is used and consequently not allowed to do the things required to actually make things work. This is a workaround that forces the openstack-cloud-controller-manager to just use one single service account, which makes things work again. Fixes: Error syncing load balancer: failed to ensure load balancer: failed to patch service object ingress-nginx/ingress-nginx-controller: services "ingress-nginx-controller" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "ingress-nginx" References: - kubernetes/cloud-provider-openstack#2049 - kubernetes/cloud-provider-openstack#1722 Co-authored-by: Sebastian Lehne <sl@teuto.net>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by a number of reasons, namely: - Creates suitable service accounts, cluster roles and cluster role bindings for `--use-service-accounts-credentials=true` - Normalises service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by a number of reasons, namely: - Creates suitable service accounts, cluster roles and cluster role bindings for `--use-service-accounts-credentials=true` - Normalises service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
@jacksgt sorry for reviving this, but is this released? I just checked an older cluster where we used the manifests (and kustomize) to deploy the OCCM. It seems like Error message:
It seems like it's assigned too:
|
I deleted the It seems like the helm chart creates |
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
Hi @till , I'm also no expert on this, but I think the flag is simply named very confusingly.
I hope this helps. |
@jacksgt cheers, and thanks for responding. I think something with RBAC is broken but I created another ticket and there's already a PR to pick commits for a new release. |
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - kubernetes#2049 - kubernetes#1722 - kubernetes#1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de>
…chart (#2449) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
…chart (#2448) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
…chart (#2447) * Use standard service account name in OCCM helm chart (#2332) This removes the `openstack-` prefix from the service account name used by the cloud-controller-manager and moves the default values into the values file. The change is motivated by the following: - Create suitable service accounts, cluster roles and cluster role bindings for use with `--use-service-accounts-credentials=true` - Normalise service account names in the helm chart and plain manifests - Adhere to naming conventions across external cloud controller managers for different clouds (e.g. AWS, GCP, ...) Specifically the first point deserves further details. Prior to this change, users who install the cloud controller manager with helm, would run into the following error when creating load balancers: ``` E0818 08:27:33.802407 11 controller.go:291] error processing service default/hello-bug (will retry): failed to ensure load balancer: failed to patch service object default/hello-bug: services "hello-bug" is forbidden: User "system:serviceaccount:kube-system:cloud-controller-manager" cannot patch resource "services" in API group "" in the namespace "default" ``` Which is due to the fact that the controller is running with the `cloud-controller-manager` service account because `--use-service-account-credentials` is set to `true` by default and the client is initialised with: ``` clientset := clientBuilder.ClientOrDie("cloud-controller-manager") ``` Whilst users can work around this by passing `--use-service-account-credentials=false`, the desired behaviour would be to install suitable RBAC in the first place. See: - https://kubernetes.io/docs/concepts/architecture/cloud-controller/ - https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/ - #2049 - #1722 - #1755 Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> * Remove spurious whitespace in OCCM values file (#2347) The space character was sadly introduced in an earlier PR and had not been picked up by the helm linter, presumably because the GHA did not run. Signed-off-by: Wolodja Wentland <w@wentland.dev> --------- Signed-off-by: Wolodja Wentland <wwentland@wavecon.de> Signed-off-by: Wolodja Wentland <w@wentland.dev>
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
create a LB follow
https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md
in logs seems
it's weird why
"system:serviceaccount:kube-system:cloud-provider-openstack\"
is usedI created following command
and it works fine in the LB after the clusterrolebinding created
it's weird why
kube-system:cloud-provider-openstack
is createdWhat you expected to happen:
How to reproduce it:
Anything else we need to know?:
Environment:
The text was updated successfully, but these errors were encountered: