Bug 1512042

Summary: Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
Product: OpenShift Container Platform Reporter: Dylan Murray <dymurray>
Component: Service BrokerAssignee: Shawn Hurley <shurley>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.8.0CC: aos-bugs, dymurray, jmatthew, shurley
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 18:01:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dylan Murray 2017-11-10 18:06:57 UTC 
Description of problem:
Right now the local registry adapter works well with the 'openshift' namespace because that is a resource shared namespace where any authenticated user has access to the imagestreams within that namespace. We have seen issues when testing on an environment that does not use the 'openshift' namespace because the transient APB service account does not always have the ability to access the images within namespace 'foo'.

Version-Release number of selected component (if applicable):
3.8.0

How reproducible:
100% If the namespace does not grant access to all authenticated users.

Steps to Reproduce:
1. Configure the local registry adapter with namespace: 'foo'.
2. Create namespace 'foo'
3. Be configured in a downstream openshift cluster where permissions for imagestreams are locked down per namespace
4. tag and push APB image to internal registry under namespace 'foo'
5. Try to provision APB

Actual results:
APB gets ErrImgPull errors because it cannot find the images outside of the transient namespace

Expected results:
APB is not displayed in the service catalog for this user

Additional info:
Relevant discussion in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507111
Comment 2 Shawn Hurley 2018-01-02 20:31:53 UTC 
Bug has been changed: https://github.com/openshift/ansible-service-broker/pull/607
Comment 5 Dylan Murray 2018-01-18 13:59:24 UTC 
Shawn and Zhang,

Yeah this warning should be sufficient. Ideally we revisit this and add some intelligence to check if the images can be pulled from our service account and blacklist images which are not. This at least gives the cluster-admin an idea of what's going wrong so they can open up the images from the target namespace. Hope that helps.
Comment 6 Zhang Cheng 2018-01-19 03:12:55 UTC 
Agree if you also think no need to block display clusterserviceclass both in backend and web console at this situation(have warning enough). 

Please move status to ON_QA. Thanks.
Comment 7 Zhang Cheng 2018-01-20 14:31:36 UTC 
Base on Comment 3, Comment 5. Changing status to Verified.
Comment 9 errata-xmlrpc 2018-06-27 18:01:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013