Bug 1461856

Summary: Support watching role bindings in the OpenShift REST API
Product: OpenShift Container Platform Reporter: Roddie Kieley <rkieley>
Component: RFEAssignee: Simo Sorce <ssorce>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aleks, aos-bugs, jokerman, michael.voegele, mmccomas, ssorce
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-07 14:50:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roddie Kieley 2017-06-15 12:55:03 UTC 
Description of problem:

Watcher with resource RoleBinding not working:

oc get rolebinding -w              
NAME                    ROLE                    USERS       GROUPS                             SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  developer                                                          
system:deployers        /system:deployer                                                       deployer            
system:image-builders   /system:image-builder                                                  builder             
system:image-pullers    /system:image-puller                system:serviceaccounts:myproject                       
Error from server (NotFound): the server could not find the requested resource (get rolebindings)

That last error shows that the standard watch URL (e.g. https://openshiftapi/oapi/v1/watch/namespaces/myproject/rolebindings) doesn't exist for that resource kind.


Version-Release number of selected component (if applicable):


How reproducible:

All the time

Steps to Reproduce:
1. oc get rolebinding -w
2.
3.

Actual results:

Error from server (NotFound): the server could not find the requested resource (get rolebindings)

Expected results:

Being able to get and watch role bindings

Additional info:
Comment 1 Roddie Kieley 2017-06-15 13:00:04 UTC 
Use-case is the following:

 - we provide egress functionality to customers in an automated way (egress: call external services either on the internet or in core it/company internal network, and this per tenant) 

- customer creates configmap with configuration, a controller listens to configmap changes and deploys a proxy (squid or haproxy) to a shadow project of the customers main project (this was necessary because of flexibility of nodeselector... service on internet -> proxy needs to be deployed on a node that has access to the internet, service in core it of specific customer -> deploy proxy to node that has access over vpn to that customers core it) 

- in order for the customer to see if the proxies are running or to have a look at the logs of the proxies, we give view rights on the shadow projects (everyone or every group that has any right on the main project is taken over to the shadow project as viewer only) 

- the controller I implemented creates the shadow project when the first proxy is needed (the projects are peered, meaning set netid on shadow project equal to the netid of the main project, by the way: netnamespace in openshift provides this and netnamespace does not exist in fabric8 client, I did an own implementation) 

- so when the shadow namespace is created, rolebindings are taken over as view 

- changes in rolebindings
Comment 2 Jordan Liggitt 2017-06-15 13:24:14 UTC 
Watching roles and rolebindings will be supported once we collapse onto the kubernetes RBAC API types. That is currently planned for the 3.7-3.8 timeframe.
Comment 3 Roddie Kieley 2017-06-15 13:29:48 UTC 
Thanks Jordan for the quick feedback on where this fits in the roadmap.
Comment 4 Roddie Kieley 2017-10-23 12:07:00 UTC 
Do we know if this functionality is still on track for the 3.7 OCP release?
Comment 5 Simo Sorce 2017-10-24 16:48:18 UTC 
In 3.7 we migrated to use Kubernetes RBAC, which is backed by actual objects. So watching RBAC Role Bindings should just work.
Comment 6 Roddie Kieley 2017-10-24 16:50:45 UTC 
Thanks for the quick update, will see if things just work with the 3.7 release!
Comment 8 Simo Sorce 2018-01-07 14:50:13 UTC 
Shipped in GA