LokiStack fails when at least two custom resources exist with the same name in RHOCP 4
Issue
-
Having two LokiStack Custom Resource (CR) wth the same name causes the LokiStack fails with the error:
level=error name=lokistack-gateway ts=2025-04-15T07:25:49.770333877Z caller=opa.go:159 tenant=audit msg="received non-200 status code from OPA endpoint" URL=[http://localhost:8082/v1/data/lokistack/allow] body="cluster-wide SAR failed: failed to create subject access review: subjectaccessreviews.authorization.k8s.io is forbidden: User \"system:serviceaccount:openshift-logging:logging-loki-gateway\" cannot create resource \"subjectaccessreviews\" in API group \"authorization.k8s.io\" at the cluster scope\n" status="401 Unauthorized" E0415 07:25:50.011743 1 webhook.go:154] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:openshift-logging:logging-loki-gateway" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope -
Vector fails to log forward the logs to the Red Hat LokiStack when two LokiStack Custom Resource (CR) exist with the same name. The error in Vector is:
2025-04-15T07:39:17.795469Z ERROR sink\{component_kind="sink" component_id=output_default_lokistack_infrastructure component_type=loki}: vector_common::internal_event::service: Service call failed. No retries or retries exhausted. error=Some(ServerError \{ code: 302 }) request_id=28397 error_type="request_failed" stage="sending" internal_log_rate_limit=true
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
- Red Hat OpenShift Logging (RHOL)
- 5
- 6
- Red Hat LokiStack
- 5
- 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
