Bug 1431583

Summary: [cluster_lifecycle__11] missing permissions for router service account which lead router with NAMESPACE_LABELS setting does not work
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: InstallerAssignee: Russell Teague <rteague>
Status: CLOSED CURRENTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: aos-bugs, jokerman, kwoodson, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-20 12:19:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johnny Liu 2017-03-13 11:00:14 UTC 
Description of problem:
see the following details.


Version-Release number of selected component (if applicable):
openshift-ansible-3.5.28-1.git.0.103513e.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. setup env with routers sharded with NAMESPACE_LABELS setting
openshift_hosted_routers=[{"name": "router", "replicas": 1, "serviceaccount": "router", "namespace": "default", "stats_port": 1936, "images": "registry.xxx.xxx.com/openshift3/ose-${component}:${version}", "edits": [{"action": "append", "key": "spec.template.spec.containers[0].env", "value": {"name": "NAMESPACE_LABELS", "value": "n=install-test"}}], "certificates": {}, "selector": "role=node,router=enabled", "ports": ["8080:8080", "443:443"]}]
2. new a project, then add label to it.
# oc new-project install-test
# oc label namespace n=install-test
3. create an app in install-test project, and expose a route for the app.

Actual results:
Try to access the app's web page, is not available.

Go to router log, found the following error:
[root@ip-172-18-4-19 ~]# oc logs router-3-qkflk
I0313 09:59:13.455777       1 router.go:475] Router reloaded:
 - Checking HAProxy /healthz on port 1936 ...
 - HAProxy port 1936 health check ok : 0 retry attempt(s).
I0313 09:59:13.455860       1 router.go:228] Router is only using routes in namespaces matching n=install-test
E0313 09:59:13.477527       1 controller.go:163] unable to find namespaces for router: User "system:serviceaccount:default:router" cannot list all namespaces in the cluster
E0313 09:59:23.481816       1 controller.go:163] unable to find namespaces for router: User "system:serviceaccount:default:router" cannot list all namespaces in the cluster


Expected results:
Installer should do do that when setting up router with NAMESPACE_LABELS setting.


Additional info:
According to https://bugzilla.redhat.com/show_bug.cgi?id=1332510#c1, need an extra step.
# oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router


After add the above permission, app's url is available.
Comment 1 Scott Dodson 2017-03-13 13:53:48 UTC 
Kenny,

Is this applicable to the sharded router use case that's currently used in online?
Comment 2 Kenny Woodson 2017-03-13 16:36:38 UTC 
I think this is caused by creating the serviceaccount outside of the oc_adm_router.  I have removed the dependency in this PR: https://github.com/openshift/openshift-ansible/pull/3635

This will allow the oc adm router call to correctly setup the serviceaccount and the scc.
Comment 3 Scott Dodson 2017-03-14 00:21:18 UTC 
https://github.com/openshift/openshift-ansible/pull/3648 backport to release-1.5
Comment 5 Johnny Liu 2017-03-14 09:26:44 UTC 
(In reply to Kenny Woodson from comment #2)
> I think this is caused by creating the serviceaccount outside of the
> oc_adm_router.  I have removed the dependency in this PR:
> https://github.com/openshift/openshift-ansible/pull/3635
> 
> This will allow the oc adm router call to correctly setup the serviceaccount
> and the scc.

Re-test this but with openshift-ansible-3.5.32-1.git.0.42cf266.el7.noarch, still reproduced.

Even if call "oc adm router" command, it will not add "cluster-reader" permission to router serviceaccount, have to manually run the command to add the permission. That is why BZ#1332510 is fixed by a doc patch.
Comment 6 Russell Teague 2017-03-14 12:27:48 UTC 
Proposed: https://github.com/openshift/openshift-ansible/pull/3650
Comment 7 Russell Teague 2017-03-15 14:13:02 UTC 
Merged: https://github.com/openshift/openshift-ansible/pull/3650
Comment 8 Scott Dodson 2017-03-17 12:19:44 UTC 
Additional changes merged from comment 7, ON_QA
Comment 9 Johnny Liu 2017-03-20 10:47:35 UTC 
Verified this bug with openshift-ansible-3.6.3-1.git.0.622449e.el7.noarch.rpm, and PASS.


After installation, check:
# oc get clusterrolebinding|grep router
cluster-readers                                 /cluster-reader                                            system:cluster-readers                         management-infra/management-admin, default/router   


router with NAMESPACE_LABELS setting is working well.