Master/healthz returns 403Forbidden during upgrade to OCP 3.6

Solution In Progress - Updated -

Issue

Executing:

curl https://<master-fqdn>/healthz

prints

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot \"get\" on \"/healthz\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

Environment

While upgrading OpenShift 3.5 to 3.6 we see that

# curl https://<master-fqdn>/healthz
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot \"get\" on \"/healthz\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

This is an error. In atomic-openshift-master-api logs we can see messages similar to

<date> <time> <master_fqdn> atomic-openshift-master-api[87060]: I0315 15:37:01.534660   87060 round_trippers.go:405] GET <master_url>/apis/authorization.openshift.io/v1/policies?resourceVersion=0 404 Not Found in 0 milliseconds

and

<date> <time> <master_fqdn> atomic-openshift-master-api[<pid>]: E0315 <timestamp>  <pid> reflector.go:201] github.com/openshift/origin/pkg/authorization/generated/informers /internalversion/factory.go:45: Failed to list *authorization.Policy: the server could not find the requested resource

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content