Master/healthz returns 403Forbidden during upgrade to OCP 3.6

Solution In Progress - Updated -

Issue

Executing:

curl https://<master-fqdn>/healthz

prints

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot \"get\" on \"/healthz\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

Environment

While upgrading OpenShift 3.5 to 3.6 we see that

# curl https://<master-fqdn>/healthz
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot \"get\" on \"/healthz\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

This is an error. In atomic-openshift-master-api logs we can see messages similar to

<date> <time> <master_fqdn> atomic-openshift-master-api[87060]: I0315 15:37:01.534660   87060 round_trippers.go:405] GET <master_url>/apis/authorization.openshift.io/v1/policies?resourceVersion=0 404 Not Found in 0 milliseconds

and

<date> <time> <master_fqdn> atomic-openshift-master-api[<pid>]: E0315 <timestamp>  <pid> reflector.go:201] github.com/openshift/origin/pkg/authorization/generated/informers /internalversion/factory.go:45: Failed to list *authorization.Policy: the server could not find the requested resource

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.