After upgrading from 24.3.0 to 24.6.0 via OLM, the operator appears to be missing expected permissions on configmaps

[benhwebster]

1. Quick Debug Information

• OS/Version(e.g. RHEL8.6, Ubuntu22.04): RHEL 9.2
• Kernel Version: 5.14.0-284.71.1.el9_2.x86_64
• Container Runtime Type/Version(e.g. Containerd, CRI-O, Docker): CRI-O
• K8s Flavor/Version(e.g. K8s, OCP, Rancher, GKE, EKS): OCP 4.15.20
• GPU Operator Version: 24.6.0

2. Issue or feature description

It appears after upgrading from 24.3.0 to 24.6.0 there may be missing permissions for the operator, we're using OLM to deploy the operator on OpenShift.

list and watch on configmaps:

{"level":"info","ts":"2024-08-01T16:39:37Z","logger":"controllers.Upgrade","msg":"ProcessUncordonRequiredNodes"}
{"level":"info","ts":"2024-08-01T16:39:37Z","logger":"controllers.Upgrade","msg":"State Manager, finished processing"}
W0801 16:40:09.232591 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0801 16:40:09.232618 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0801 16:40:57.614741 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0801 16:40:57.614766 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
W0801 16:41:28.767493 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0801 16:41:28.767520 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope
{"level":"info","ts":"2024-08-01T16:41:37Z","logger":"controllers.Upgrade","msg":"Reconciling Upgrade","upgrade":{"name":"gpu-cluster-policy"}}
{"level":"info","ts":"2024-08-01T16:41:37Z","logger":"controllers.Upgrade","msg":"Using label selector","upgrade":{"name":"gpu-cluster-policy"},"key":"openshift.driver-toolkit","value":"true"}

3. Steps to reproduce the issue

Upgrade from 24.3.0 to 24.6.0 via OLM in OpenShift

Let me know if you need anything else.

[tariq1890]

Hi @benhwebster , thank you for reporting this! Could you share your cluster-policy yaml?

[benhwebster]

apiVersion: nvidia.com/v1
kind: ClusterPolicy
metadata:
  name: gpu-cluster-policy
spec:
  migManager:
    enabled: true
  operator:
    defaultRuntime: crio
    initContainer: {}
    runtimeClass: nvidia
  dcgm:
    enabled: true
  gfd: {}
  dcgmExporter:
    config:
      name: ''
    enabled: true
    serviceMonitor:
      enabled: true
  driver:
    licensingConfig:
      configMapName: ''
      nlsEnabled: false
    enabled: true
    certConfig:
      name: ''
    repository: nvcr.io/nvidia
    kernelModuleConfig:
      name: ''
    upgradePolicy:
      autoUpgrade: true
      drain:
        deleteEmptyDir: true
        enable: true
        force: true
        podSelector: ''
        timeoutSeconds: 300
      maxParallelUpgrades: 1
      maxUnavailable: 25%
      podDeletion:
        deleteEmptyDir: true
        force: true
        timeoutSeconds: 300
      waitForCompletion:
        podSelector: ''
        timeoutSeconds: 300
    repoConfig:
      configMapName: ''
    version: 550.90.07
    virtualTopology:
      config: ''
    image: driver
  devicePlugin: {}
  mig:
    strategy: single
  validator:
    plugin:
      env:
        - name: WITH_WORKLOAD
          value: 'true'
  nodeStatusExporter:
    enabled: true
  daemonsets:
    priorityClassName: system-node-critical
    updateStrategy: RollingUpdate
  toolkit:
    enabled: true
    installDir: /usr/local/nvidia
status:
  conditions:
    - lastTransitionTime: '2024-07-11T22:21:33Z'
      message: ClusterPolicy is ready as all resources have been successfully reconciled
      reason: Reconciled
      status: 'True'
      type: Ready
    - lastTransitionTime: '2024-07-11T22:21:33Z'
      message: ''
      reason: Ready
      status: 'False'
      type: Error
  namespace: nvidia-gpu-operator
  state: ready

[tariq1890]

Thank you! We are trying to reproduce this

[tariq1890]

@benhwebster We are still trying to replicate this issue. In the meantime, can you run the must_gather script and shares its result with us? This will capture the relevant details of your cluster and help us better troubleshoot this issue

Here are the commands you need to run

curl -o must-gather.sh -L https://raw.githubusercontent.com/NVIDIA/gpu-operator/master/hack/must-gather.sh 
chmod +x must-gather.sh
./must-gather.sh

[benhwebster]

@tariq1890 The must gather is too large (11MB) to send to operator_feedback@nvidia.com directly, I've sent a link to it instead, if that's a problem or you have another way you'd like to receive it, let me know.

[cdesiniotis]

This is fixed by: 2993021

[charanteja333]

@cdesiniotis when can we expect new GPU operator images generated and pushed to registry ? Thanks

[pkris]

Hi @cdesiniotis @tariq1890,
I see the same issue as @benhwebster in one of our lab OpenShift clusters that went through an operator upgrade:

NAME DISPLAY VERSION REPLACES PHASE gpu-operator-certified.v24.6.0 NVIDIA GPU Operator 24.6.0 gpu-operator-certified.v24.3.0 Succeeded

NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.15.22 True False 21h Cluster version is 4.15.22

Last log entries from the gpu-operator pod:
W0807 05:59:47.951531 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope E0807 05:59:47.951569 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:nvidia-gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope

Cheers,
Paul

[cdesiniotis]

@pkris thank you for reporting this issue as well. If you would like to test out the fix ahead of time, you can try this image ghcr.io/nvidia/gpu-operator:2ad39e6e-ubi8

@charanteja333 we are planning to release a patch soon to address this issue.

[chrisholzheimer]

Is this fix for OpenShift only? We are using vSphere with Tanzu 7 do have the same issue, when upgrading from 24.3.0 to 24.6.0:

W0808 10:34:08.378209 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope E0808 10:34:08.378261 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope W0808 10:34:09.476831 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope E0808 10:34:09.476863 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope W0808 10:34:11.274554 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope E0808 10:34:11.274587 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope W0808 10:34:15.130815 1 reflector.go:547] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope E0808 10:34:15.130854 1 reflector.go:150] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gpu-operator:gpu-operator" cannot list resource "configmaps" in API group "" at the cluster scope

[pkris]

@pkris thank you for reporting this issue as well. If you would like to test out the fix ahead of time, you can try this image ghcr.io/nvidia/gpu-operator:2ad39e6e-ubi8

@charanteja333 we are planning to release a patch soon to address this issue.

@cdesiniotis: is it supported to change the operator image if it's managed by the OLM ecosystem? If yes, would you happen to have docs on this?

[tariq1890]

Is this fix for OpenShift only? We are using vSphere with Tanzu 7 do have the same issue, when upgrading from 24.3.0 to 24.6.0:

@chrisholzheimer Just to be clear, this fix will apply to all platforms. So our next patch release (v24.6.1) will fix the issue you see in your tanzu cluster

[benhwebster]

@pkris thank you for reporting this issue as well. If you would like to test out the fix ahead of time, you can try this image ghcr.io/nvidia/gpu-operator:2ad39e6e-ubi8
@charanteja333 we are planning to release a patch soon to address this issue.

@cdesiniotis: is it supported to change the operator image if it's managed by the OLM ecosystem? If yes, would you happen to have docs on this?

To my knowledge there isn't a supported/good way to do this, to get around it I stopped the OLM operator pod (scaled down deployment) then updated the image on the GPU operator deployment, let it finished updating/deploying the new version of the operator, and then scaled back up the OLM operator, and it didn't reconcile the image back. If the OLM operator is running when updating the image it will immediately reconcile it back. Once the GPU operator was updated it went through and updated everything.

If you're not having issues you may just want to wait for the patch release to deal with that, but if you really need it to do stuff that's what worked for me, I think OLM reconciled it back eventually but it was able to update the driver components/config changes before then.