Skip to content

VMFR controller fails to create resources in user specified namespace #60

Open
Open
VMFR controller fails to create resources in user specified namespace#60
@weshayutin

Description

@weshayutin
weshayutin
opened on Feb 23, 2026

Jira Issue: OADP-7467

Description of problem:

Created VMFR CR with spec.restoreNamespace field, controller is unable to create resource due to permission issue. It works fine without specifying the restoreNamespace field.

Controller logs

2026-02-17T06:20:17.162Z ERROR File server creation failed {"controller": "virtualmachinefilerestore", "controllerGroup": "oadp.openshift.io", "controllerKind": "VirtualMachineFileRestore", "VirtualMachineFileRestore": {"name":"test-vmfr1","namespace":"openshift-adp"}, "namespace": "openshift-adp", "name": "test-vmfr1", "reconcileID": "4527ccca-57a9-4bb1-8e5c-129110593e5b", "error": "failed to create file server pod: pods \"test-vmfr1-fileserver\" is forbidden: error looking up service account vmfr-restore-namespace/vmfr-file-server: serviceaccount \"vmfr-file-server\" not found"}

2026-02-17T06:20:17.173Z ERROR Reconciler error {"controller": "virtualmachinefilerestore", "controllerGroup": "oadp.openshift.io", "controllerKind": "VirtualMachineFileRestore", "VirtualMachineFileRestore": {"name":"test-vmfr1","namespace":"openshift-adp"}, "namespace": "openshift-adp", "name": "test-vmfr1", "reconcileID": "4527ccca-57a9-4bb1-8e5c-129110593e5b", "error": "validation failed: Failed to create file server resources: failed to create file server pod: pods \"test-vmfr1-fileserver\" is forbidden: error looking up service account vmfr-restore-namespace/vmfr-file-server: serviceaccount \"vmfr-file-server\" not found"}

Version-Release number of selected component (if applicable):

OADP operator deployed via oadp-dev branch

How reproducible:

Always

Steps to Reproduce:

  1. Deploy a VM
  2. Create backup of VM namespace
  3. Create VMBD CR
  4. Create a namespace where you want to filesystem resources:
$ oc create ns vmfr-restore-namespace
  1. Create VMFR CR with restoreNamespace field:
apiVersion: oadp.openshift.io/v1alpha1
kind: VirtualMachineFileRestore
metadata:
  name: test-vmfr1
  namespace: openshift-adp
spec:
  backupsDiscoveryRef: test-vmbd
  fileAccess:
    ssh: {}
  restoreNamespace: vmfr-restore-namespace

Actual results:

VMFR fails with below error:

$ oc get vmfr test-vmfr1 -o yaml
apiVersion: oadp.openshift.io/v1alpha1
kind: VirtualMachineFileRestore
metadata:
  creationTimestamp: "2026-02-17T06:20:15Z"
  finalizers:
  - oadp.openshift.io/velero-restore-cleanup-finalizer
  - oadp.openshift.io/vm-file-restore-finalizer
  generation: 1
  name: test-vmfr1
  namespace: openshift-adp
  resourceVersion: "16083610"
  uid: ae47513e-9714-4f94-be08-99a26f6869d4
spec:
  backupsDiscoveryRef: test-vmbd
  fileAccess:
    ssh: {}
  restoreNamespace: vmfr-restore-namespace
status:
  conditions:
  - lastTransitionTime: "2026-02-17T06:20:17Z"
    message: 'Failed to create file server resources: failed to create file server
      pod: pods "test-vmfr1-fileserver" is forbidden: error looking up service account
      vmfr-restore-namespace/vmfr-file-server: serviceaccount "vmfr-file-server" not
      found'
    reason: ValidationFailed
    status: "False"
    type: Progressing
  phase: Failed

Expected results:

VMFR should not fail with permission denied error. The service account should be created in the user-specified namespace.

Additional info:

Reporter: Prasad Joshi
Assignee: Wes Hayutin

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions