Issue
After upgrading to CloudBees CI on modern cloud platforms 2.541.3.36069 with Hibernation.Enabled: true and rbac.install: false, the managed-master-hibernation-monitor pod continuously logs 403 Forbidden authentication errors and managed controller hibernation stops functioning. The pod remains in Running state with no restarts, making the failure difficult to detect.
The following error appears in the managed-master-hibernation-monitor pod logs:
WARN [com.clo.ci.aut.ser.KubernetesTokenAuthenticator] (executor-thread-1) Error authenticating token: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://<kubernetes-api>:443/apis/authentication.k8s.io/v1/tokenreviews. Message: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:<namespace>:managed-master-hibernation-monitor" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope. Received status: Status(code=403, reason=Forbidden ...)
This prevents the hibernation monitor from authenticating tokens, causing managed controller hibernation to fail silently.
Environment
-
CloudBees CI on modern cloud platforms - managed controller >= 2.541.3.36065
Applies when
Hibernation.Enabled: trueandrbac.install: falsein thecloudbees-coreHelm chart.
Explanation
Version 2.541.3.36065 introduced KubernetesTokenAuthenticator as a new authentication mechanism in the managed-master-hibernation-monitor component. This mechanism validates inbound tokens by calling the Kubernetes TokenReview API at the cluster scope.
The CloudBees CI on modern cloud platforms Helm chart includes a dedicated template (managed-master-hibernation-monitor-clusterrolebinding.yaml) that creates a ClusterRoleBinding binding the managed-master-hibernation-monitor service account to the Kubernetes built-in system:auth-delegator ClusterRole. This grants the required create permission on tokenreviews.
This template is only rendered when both of the following Helm values are set:
Hibernation: Enabled: true rbac: install: true # if false, the ClusterRoleBinding is not created
In environments where rbac.install: false — typically where Kubernetes RBAC is managed externally — the ClusterRoleBinding is not created during a Helm upgrade, resulting in the 403 error.
Resolution
Before applying a resolution, confirm the root cause:
-
Verify the
ClusterRoleBindingis missing:kubectl get clusterrolebinding | grep hibernationNo output indicates the
ClusterRoleBindingwas not created. -
Confirm
rbac.installis set tofalsein the current Helm values:helm get values <release-name> -n <namespace> -
Confirm the Helm chart did not render the
ClusterRoleBinding:helm get manifest <release-name> -n <namespace> | grep -A 20 "tokenreview"No output confirms the
ClusterRoleBindingis absent from the installed chart.
Apply one of the following options depending on your RBAC management approach.
Option A: Enable Helm-managed RBAC
If rbac.install can be changed to true, run a Helm upgrade:
helm upgrade <release-name> cloudbees/cloudbees-core \ --version <chart-version> \ --namespace <namespace> \ --reuse-values \ --set rbac.install=true
The Helm chart automatically creates the required ClusterRoleBinding.
Option B: Apply the ClusterRoleBinding manually
If rbac.install must remain false, request your cluster administrator to apply the following manifest:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: managed-master-hibernation-monitor-<namespace> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: managed-master-hibernation-monitor namespace: <namespace>
Replace <namespace> with the namespace where CloudBees CI on modern cloud platforms operations center is deployed. system:auth-delegator is a Kubernetes built-in ClusterRole that already exists in all Kubernetes and OpenShift clusters and does not need to be created.
|
Apply the manifest:
# Kubernetes kubectl apply -f <filename>.yaml # OpenShift oc apply -f <filename>.yaml
Post-resolution verification
After applying either option, restart the pod and confirm the error no longer appears:
# Kubernetes kubectl rollout restart deployment/managed-master-hibernation-monitor -n <namespace> kubectl logs -f deployment/managed-master-hibernation-monitor -n <namespace> # OpenShift oc rollout restart deployment/managed-master-hibernation-monitor -n <namespace> oc logs -f deployment/managed-master-hibernation-monitor -n <namespace>
The 403 Forbidden error should no longer appear in the logs.