Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Error in odh-model-controller logs on deletion of ModelMesh isvc #133

Open
vaibhavjainwiz opened this issue Dec 12, 2023 · 5 comments
Open

bug: Error in odh-model-controller logs on deletion of ModelMesh isvc #133

vaibhavjainwiz opened this issue Dec 12, 2023 · 5 comments
Assignees
@vaibhavjainwiz

Comments

@vaibhavjainwiz
Copy link
Member

Below error is occuring in odh-model-controller logs on deletion of ModelMesh isvc

2023-12-12T09:36:58Z ERROR controllers.InferenceService Unable to clean up resources {"InferenceService": "example-onnx-mnist", "namespace": "kserve-demo", "error": "failed to delete ServiceAccount: serviceaccounts \"modelmesh-serving-sa\" is forbidden: User \"system:serviceaccount:opendatahub:odh-model-controller\" cannot delete resource \"serviceaccounts\" in API group \"\" in the namespace \"kserve-demo\""}
github.com/opendatahub-io/odh-model-controller/controllers.(*OpenshiftInferenceServiceReconciler).Reconcile
/workspace/controllers/inferenceservice_controller.go:76
@vaibhavjainwiz vaibhavjainwiz self-assigned this Dec 12, 2023
@vaibhavjainwiz
Copy link
Member Author

On analysis, I found that odh-model-controller-role ClusterRole which is attached the odh-model-controller pod doesn't have access to delete serviceaccounts.

This was referenced Dec 12, 2023
Closed
Closed
@vaibhavjainwiz
Copy link
Member Author

Solution:
Edit odh-model-controller-role ClusterRole to provide access for deletion of ServiceAccount.

- apiGroups:
    - ""
  resources:
    - serviceaccounts
  verbs:
    - create
    - get
    - list
    - patch
    - update
    - watch
    - delete

@vaibhavjainwiz vaibhavjainwiz linked a pull request Dec 12, 2023 that will close this issue
Allow ModelMesh and KServe to run in same namespace. #132
Closed
3 tasks
@spolti
Copy link
Member

spolti commented Dec 12, 2023

Solution: Edit odh-model-controller-role ClusterRole to provide access for deletion of ServiceAccount.

- apiGroups:
    - ""
  resources:
    - serviceaccounts
  verbs:
    - create
    - get
    - list
    - patch
    - update
    - watch
    - delete

Are all these roles needed for deletion?

@vaibhavjainwiz
Copy link
Member Author

role for create, get, list, pathc, update and watch is already assigned to serviceaccounts resource. I just added delete role.

@spolti
Copy link
Member

spolti commented Jan 2, 2024

role for create, get, list, pathc, update and watch is already assigned to serviceaccounts resource. I just added delete role.

I see, thanks, we might need to revisit it later to make sure that we are not adding unneeded roles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vaibhavjainwiz vaibhavjainwiz

Labels
None yet
Projects
ODH Model Serving Planning
Status: Under Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow ModelMesh and KServe to run in same namespace. vaibhavjainwiz/odh-model-controller
2 participants
@spolti @vaibhavjainwiz