antrea-controller log

Failed to create baseline Tier on init: admission webhook "tiervalidator.antrea.io" denied the request: tier baseline priority 253 overlaps with existing Tier. Retry attempt: 57

Aantrea operator is degraded with below error

 Failed to apply operator configurations: could not create (rbac.authorization.k8s.io/v1, Kind=ClusterRole) /antrea-interworking-deregister: clusterroles.rbac.authorization.k8s.io "antrea-interworking-deregister" is forbidden: user "system:serviceaccount:antrea-operator:antrea-operator" (groups=["system:serviceaccounts" "system:serviceaccounts:antrea-operator" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:... 

There are two failures for interworking for openshift:
antrea controller continues complaining about tier overlap, tier baseline priority 253 overlaps with existing Tier

antrea operator failed to run with deregister, it is because that operator lacks of deleteCollection verb for tierentitlementbindings and tierentitlements

In fact they are same root cause, operator lack of deleteCollection verb for tierentitlementbindings and tierentitlements, which led to antrea operator failed to delete existing tier, when antrea-controller tried to startup, it tried to create tier baseline 253, but there is a existing one, so webhook denies the request.

Pending Resolutito add deleteCollection verb for tierentitlementbindings and tierentitlements 

oc edit clusterrole antrea-operator

add deleteCollection like:

- apiGroups:

  - crd.antrea.tanzu.vmware.com

 resources:

  - tierentitlementbindings

  - tierentitlements

 verbs:

  - get

  - delete

  - deletecollection

 on