Issue

• Secrets heapster-certs not found in openshift-infra project.
• Secrets "heapster-certs" is forbidden: cannot set an ownerRef on a resource.
• Unable to mount volumes for heapster pod, heapster-certs not found.
• Upgrade playbook failed to create heapster-certs in openshift-infra project.
• Cannot delete heapster-certs in openshift-infra project.
• Master controller/api logs looks like.

master.example.com atomic-openshift-master-api RBAC DENY: user "system:serviceaccount:openshift-infra:service-serving-cert-controller" groups ["system:serviceaccounts" "system:serviceaccounts:openshift-infra" "system:authenticated"] cannot "delete" resource "secrets" in namespace "openshift-infra"
master.example.com atomic-openshift-master-controllers secret_creating_controller.go:200] error syncing service, it will be retried: secrets "heapster-certs" is forbidden: cannot set an ownerRef on a resource you can't delete: User "system:serviceaccount:openshift-infra:service-serving-cert-controller" cannot delete secrets in project "openshift-infra", <nil>

• Heapster pod describe shows following events.

#oc describe pod heapster-pod
  6m            1m              10      kubelet, master.example.com                  Warning         FailedMount     MountVolume.SetUp failed for volume "kubernetes.io/secret/fbe36940-ht765-11e8-a1a1-4dfgk45678-heapster-certs" (spec.Name: "heapster-certs") pod "dfgh456-4e67-11e8-a1a1-000fdfghj56" (UID: "6789fghj-4e67-11e8-a1a1-dfghj567") with: secrets "heapster-certs" not found
  4m            1m              2       kubelet, master.example.com                  Warning         FailedMount     Unable to mount volumes for pod "heapster-POD_openshift-infra(fgh789-4e67-11e8-a1a1-34567fgh)": timeout expired waiting for volumes to attach/mount for pod "openshift-infra"/"heapster-POD". list of unattached/unmounted volumes=[heapster-certs]