[4.15] OCPBUGS-31599: create suitable role and roleBinding for csi-snapshot-webhook

[dobsonj]

Manual backport of #202 to 4.15 -- but only the parts required to get the correct permissions for the webhook. We don't want any of the volumegroupsnapshot changes backported.

/cc @openshift/storage @bertinatto @Phaow

[openshift-ci]

@dobsonj: GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Manual backport of #202 to 4.15 -- but only the parts required to get the correct permissions for the webhook. We don't want any of the volumegroupsnapshot changes backported.

/cc @openshift/storage @bertinatto @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dobsonj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dobsonj]

/jira cherry-pick OCPBUGS-31497

[openshift-ci-robot]

@dobsonj: Jira Issue OCPBUGS-31497 has been cloned as Jira Issue OCPBUGS-31599. Will retitle bug to link to clone.
/retitle OCPBUGS-31599: create suitable role and roleBinding for csi-snapshot-webhook

In response to this:

/jira cherry-pick OCPBUGS-31497

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dobsonj: This pull request references Jira Issue OCPBUGS-31599, which is invalid:

• expected dependent Jira Issue OCPBUGS-31497 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Manual backport of #202 to 4.15 -- but only the parts required to get the correct permissions for the webhook. We don't want any of the volumegroupsnapshot changes backported.

/cc @openshift/storage @bertinatto @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dobsonj]

/label backport-risk-assessed

[openshift-cherrypick-robot]

@dobsonj: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you.

In response to this:

/label backport-risk-assessed
/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Phaow]

Hi @dobsonj, I checked the CI must-gather seems the webhook logs still have some VolumeGroupSnapshotClass RBAC errors. Even though we don't enable the VolumeGroupSnapshot feature, the webhook still list the related resources. Not sure it is related external-snapshotter/client/v6 while on 4.16 we rebase the external-snapshotter/client/v7 and cherry-pick several upstream fix patches in https://issues.redhat.com/browse/OCPBUGS-31439.

omc logs csi-snapshot-webhook-75d8ffb974-j4427
2024-04-01T22:01:05.358426627Z I0401 22:01:05.358322       1 certwatcher.go:129] Updated current TLS certificate
2024-04-01T22:01:05.374647968Z W0401 22:01:05.374603       1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
2024-04-01T22:01:05.374647968Z E0401 22:01:05.374637       1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
2024-04-01T22:01:06.957954277Z W0401 22:01:06.957896       1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
2024-04-01T22:01:06.957954277Z E0401 22:01:06.957931       1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
2024-04-01T22:01:08.994184894Z W0401 22:01:08.994132       1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope
2024-04-01T22:01:08.994184894Z E0401 22:01:08.994162       1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-webhook" cannot list resource "volumegroupsnapshotclasses" in API group "groupsnapshot.storage.k8s.io" at the cluster scope

[duanwei33]

@Phaow How about using a new Jira bug for VolumeGroupSnapshotClass, so that might be more easier and clear for backport. wdyt?

[Phaow]

@duanwei33 Agree, it maybe a better option. Anyway let's wait @dobsonj 's suggestions.

[dobsonj]

@Phaow How about using a new Jira bug for VolumeGroupSnapshotClass, so that might be more easier and clear for backport. wdyt?

@duanwei33 Agree, it maybe a better option. Anyway let's wait @dobsonj 's suggestions.

IMO, no need for a separate bug, I'll revise this PR. The webhook apparently will not start unless it has the VolumeGroupSnapshotClass permission too on 4.15. I won't add any support for VolumeGroupSnapshots in 4.15, but I believe it's harmless to allow the webhook permission to run the listers.

[dobsonj]

I pushed VolumeGroupSnapshotClass permissions for the webhook as a separate commit. They are required for 4.15+ but should not be needed on prior versions.

[dobsonj]

Well... even with that last change, the webhook fails with:

W0402 17:59:24.144081       1 reflector.go:535] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: failed to list *v1alpha1.VolumeGroupSnapshotClass: the server could not find the requested resource (get volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io)
E0402 17:59:24.144138       1 reflector.go:147] github.com/kubernetes-csi/external-snapshotter/client/v6/informers/externalversions/factory.go:133: Failed to watch *v1alpha1.VolumeGroupSnapshotClass: failed to list *v1alpha1.VolumeGroupSnapshotClass: the server could not find the requested resource (get volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io)

[dobsonj]

Ok, it seems we need this change backported to 4.15 to disable the VolumeGroupSnapshot listers:
kubernetes-csi/external-snapshotter@aafc456
Because in 4.15, there is no way to disable it:
https://github.com/openshift/csi-external-snapshotter/blob/50fa049ccaa48d7f7dcb165fb6e20c185a0cbd13/pkg/validation-webhook/webhook.go#L270
Once that is done, we should not need the VolumeGroupSnapshotClass RBAC permissions on 4.15.

[dobsonj]

/hold for openshift/csi-external-snapshotter#147 to merge first

[dobsonj]

/jira refresh
/test e2e-gcp-csi
/unhold

[openshift-ci-robot]

@dobsonj: This pull request references Jira Issue OCPBUGS-31599, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.z) matches configured target version for branch (4.15.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-31497 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-31497 targets the "4.16.0" version, which is one of the valid target versions: 4.16.0
• bug has dependents

Requesting review from QA contact:
/cc @Phaow

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/jira refresh
/test e2e-gcp-csi
/unhold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@dobsonj: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[dobsonj]

openshift/csi-external-snapshotter#147 merged but e2e-gcp-csi still shows volumegroupsnapshotclass failures, I think we have to wait until that PR makes it into a 4.15 build before we see good test results here.

[Phaow]

/label cherry-pick-approved
/label qe-approved
Pre verify passed with pre merged build 4.15.0-0.ci.test-2024-04-07-083937-ci-ln-5hr786k-latest (build openshift/cluster-csi-snapshot-controller-operator#203).

CI looks good and check the controller operator and webhook logs works well.

$ oc logs -l app=csi-snapshot-webhook --tail=-1
I0407 09:31:33.853279       1 certwatcher.go:129] Updated current TLS certificate
Starting webhook server
I0407 09:31:33.955199       1 webhook.go:214] Starting certificate watcher
I0407 09:31:37.594538       1 certwatcher.go:129] Updated current TLS certificate
Starting webhook server
I0407 09:31:37.695398       1 webhook.go:214] Starting certificate watcher

[dobsonj]

/cherry-pick release-4.14

[openshift-cherrypick-robot]

@dobsonj: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bertinatto]

/lgtm

[openshift-ci-robot]

@dobsonj: Jira Issue OCPBUGS-31599: All pull requests linked via external trackers have merged:

• openshift/cluster-csi-snapshot-controller-operator#203
• openshift/csi-external-snapshotter#147

Jira Issue OCPBUGS-31599 has been moved to the MODIFIED state.

In response to this:

Manual backport of #202 to 4.15 -- but only the parts required to get the correct permissions for the webhook. We don't want any of the volumegroupsnapshot changes backported.

/cc @openshift/storage @bertinatto @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@dobsonj: new pull request created: #205

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-csi-snapshot-controller-operator-container-v4.15.0-202404081311.p0.g87d7080.assembly.stream.el9 for distgit ose-cluster-csi-snapshot-controller-operator.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.15.0-0.nightly-2024-04-16-070254