Bug 1431583
Summary: | [cluster_lifecycle__11] missing permissions for router service account which lead router with NAMESPACE_LABELS setting does not work | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> |
Component: | Installer | Assignee: | Russell Teague <rteague> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Johnny Liu <jialiu> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.5.0 | CC: | aos-bugs, jokerman, kwoodson, mmccomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-20 12:19:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Johnny Liu
2017-03-13 11:00:14 UTC
Kenny, Is this applicable to the sharded router use case that's currently used in online? I think this is caused by creating the serviceaccount outside of the oc_adm_router. I have removed the dependency in this PR: https://github.com/openshift/openshift-ansible/pull/3635 This will allow the oc adm router call to correctly setup the serviceaccount and the scc. https://github.com/openshift/openshift-ansible/pull/3648 backport to release-1.5 (In reply to Kenny Woodson from comment #2) > I think this is caused by creating the serviceaccount outside of the > oc_adm_router. I have removed the dependency in this PR: > https://github.com/openshift/openshift-ansible/pull/3635 > > This will allow the oc adm router call to correctly setup the serviceaccount > and the scc. Re-test this but with openshift-ansible-3.5.32-1.git.0.42cf266.el7.noarch, still reproduced. Even if call "oc adm router" command, it will not add "cluster-reader" permission to router serviceaccount, have to manually run the command to add the permission. That is why BZ#1332510 is fixed by a doc patch. Verified this bug with openshift-ansible-3.6.3-1.git.0.622449e.el7.noarch.rpm, and PASS. After installation, check: # oc get clusterrolebinding|grep router cluster-readers /cluster-reader system:cluster-readers management-infra/management-admin, default/router router with NAMESPACE_LABELS setting is working well. |