Description of problem: When attaching to a running pod with project admin, there is error information,but cluster-admin could attach to the pod under this project successfully. Version-Release number of selected component (if applicable): oc v1.0.5-89-gc9008aa kubernetes v1.1.0-alpha.0-1605-g44c91b1 How reproducible: Always Steps to Reproduce: 1.Create a new project with user 'yapei' $ oc new-project test3 Now using project "test3" on server "https://localhost:8443". 2. Create some resources using templates $ oc process -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json | oc create -f - service "frontend" created route "route-edge" created imagestream "origin-ruby-sample" created imagestream "ruby-20-centos7" created buildconfig "ruby-sample-build" created deploymentconfig "frontend" created service "database" created deploymentconfig "database" created 3. Check pod status $ oc get pods NAME READY STATUS RESTARTS AGE database-1-qvxyn 1/1 Running 0 16m frontend-1-36swm 1/1 Running 0 14m frontend-1-ws7hv 1/1 Running 0 14m ruby-sample-build-1-build 0/1 ExitCode:0 0 17m 4. Check the user $ oc whoami yapei 5. Run 'oc attach' command with user 'yapei' $ oc attach database-1-qvxyn 6. Logged out as 'yapei' and run 'oc attach' with cluster-admin $ oc logout Logged "yapei" out on "https://localhost:8443" $ oc attach database-1-qvxyn -n test3 --config=openshift.local.config/master/admin.kubeconfig Running mysql_install_db ... Installing MySQL system tables... OK Filling help tables... OK PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands: scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysqladmin -u root password 'new-password' scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysqladmin -u root -h database-1-qvxyn password 'new-password' Alternatively you can run: scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysql_secure_installation which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the manual for more instructions. You can start the MySQL daemon with: systemctl start mysql55-mysqld You can test the MySQL daemon with mysql-test-run.pl after installing mysql55-mysql-test package. See /opt/rh/mysql55/root/usr/share/mysql-test/README for instructions. Please report any problems at http://bugs.mysql.com/ Starting local mysqld server ... Waiting for MySQL to start ... 150831 7:29:02 [Warning] One can only use the --user switch if running as root 150831 7:29:02 [Note] Plugin 'FEDERATED' is disabled. 150831 7:29:02 InnoDB: The InnoDB memory heap is disabled 150831 7:29:02 InnoDB: Mutexes and rw_locks use GCC atomic builtins 150831 7:29:02 InnoDB: Compressed tables use zlib 1.2.7 150831 7:29:02 InnoDB: Using Linux native AIO ........ 7. For other 'oc attach' command which carry more parameters, same error information displayed for cluster-admin and normal project admin. This issue had been reported in BUG -1257889,it's about taking wrong paramter $ oc attach database-1-qvxyn date -n test3 --config=openshift.local.config/master/admin.kubeconfig error: expected a single argument: POD, saw 2: [database-1-qvxyn date] see 'oc attach -h' for help. $ oc attach database-1-qvxyn date error: expected a single argument: POD, saw 2: [database-1-qvxyn date] see 'oc attach -h' for help. Actual results: step5: Error from server: User "yapei" cannot create pods/attach in project "test3" Expected results: step5: Should run 'oc attach' successfully since yapei is already the admin of project test3. at the same time, should give proper message about failure. Additional info: When --attach option is carried in 'oc run', there is error info indicating "not implemented" $ oc run nginx --image=nginx --attach=true. error: cannot attach to DeploymentConfig: not implemented
Need to add "pods/attach" to policy. Might need to protect pods/attach the same way we protect pods/exec Need to update long running regular expression to include attach
Also need changes from https://github.com/kubernetes/kubernetes/pull/13705
Project admin permission fixed in https://github.com/openshift/origin/pull/4587
Moving to ON_QA, spawned https://bugzilla.redhat.com/show_bug.cgi?id=1261548 for the `oc run --attach` bug
Verified on devenv-fedora_2314, project admin & edit role could run oc attach successfully now.