[RHOCP 4.6] Authentication operator degraded with error " WellKnownReadyController_SyncError "
Environment
- Red Hat Openshift Container Platform
- 4.6 IPI
- VMware vSphere
Issue
- Authentication Operator fails with error,
message: 'WellKnownReadyControllerDegraded: failed to GET kube-apiserver oauth
endpoint https://10.xx.yy.zz:6443/.well-known/oauth-authorization-server: Forbidden'
reason: WellKnownReadyController_SyncError
status: 'True'
type: Degraded
Resolution
- Edit the
proxy
configuration
$ oc edit proxy/cluster
- Check the
noproxy
parameter in the spec section
spec:
httpProxy: http://<ip>:80
httpsProxy: http://<ip>:80
noProxy: example.com
- Add
machine CIDR
andvCenter IP
tonoproxy
parameter
Root Cause
noproxy
should contain a list of destinationdomain names
,domains
,IP addresses
, or othernetwork CIDRs
to exclude proxying. One must includevCenter’s IP
address and theIP range
that is used for its machines.
Diagnostic Steps
- Login to the
OAuth
pod and check if you can reachAPI
throughproxy
$ oc rsh <oauth pod>
$ curl -kv https://$API:6443/.well-known/oauth-authorization-server
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments