This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1275002 - when projects are created "admin" role is not associated with actions like "create pod"
when projects are created "admin" role is not associated with actions like "c...
Status: CLOSED NOTABUG
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: David Eads
Jianwei Hou
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-24 14:48 EDT by Erik M Jacobs
Modified: 2015-10-27 01:18 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-27 01:18:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik M Jacobs 2015-10-24 14:48:01 EDT
[joe@ose3-master ~]$ oc version
oc v3.0.2.903
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4

atomic-openshift-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-clients-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-master-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-node-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-sdn-ovs-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
tuned-profiles-atomic-openshift-node-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64

[joe@ose3-master ~]$ oc new-project demo --display-name='OpenShift 3 Demo' --description='This is the first demo project with OpenShift v3'
Now using project "demo" on server "https://ose3-master.example.com:8443".
[joe@ose3-master ~]$ oadm policy who-can create pod
Namespace: demo
Verb:      create
Resource:  pod

Users:  none

Groups: system:cluster-admins
        system:masters

master config:

apiLevels:
- v1beta3
- v1
apiVersion: v1
assetConfig:
  logoutURL: ""
  masterPublicURL: https://ose3-master.example.com:8443
  publicURL: https://ose3-master.example.com:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
corsAllowedOrigins:
  - 127.0.0.1
  - localhost
  - ose3-master.example.com
  - 192.168.133.2
  - ose3-master.example.com
  - 192.168.133.2
dnsConfig:
  bindAddress: 0.0.0.0:53
etcdClientInfo:
  ca: ca.crt
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key
  urls:
    - https://ose3-master.example.com:4001
etcdConfig:
  address: ose3-master.example.com:4001
  peerAddress: ose3-master.example.com:7001
  peerServingInfo:
    bindAddress: 0.0.0.0:7001
    certFile: etcd.server.crt
    clientCA: ca.crt
    keyFile: etcd.server.key
  servingInfo:
    bindAddress: 0.0.0.0:4001
    certFile: etcd.server.crt
    clientCA: ca.crt
    keyFile: etcd.server.key
  storageDirectory: /var/lib/origin/openshift.local.etcd
etcdStorageConfig:
  kubernetesStoragePrefix: kubernetes.io
  kubernetesStorageVersion: v1
  openShiftStoragePrefix: openshift.io
  openShiftStorageVersion: v1
imageConfig:
  format: openshift3/ose-${component}:${version}
  latest: false
kind: MasterConfig
kubeletClientInfo:
  ca: ca.crt
  certFile: master.kubelet-client.crt
  keyFile: master.kubelet-client.key
  port: 10250
kubernetesMasterConfig:
  apiLevels:
  - v1beta3
  - v1
  apiServerArguments: null
  controllerArguments: null
  masterCount: 1
  masterIP: ""
  podEvictionTimeout: ""
  schedulerConfigFile: /etc/origin/master/scheduler.json
  servicesNodePortRange: ""
  servicesSubnet: 172.30.0.0/16
  staticNodeNames: []
masterClients:
  externalKubernetesKubeConfig: ""
  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://ose3-master.example.com:8443
networkConfig:
  clusterNetworkCIDR: 10.1.0.0/16
  hostSubnetLength: 8
  networkPluginName: redhat/openshift-ovs-subnet
# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
  serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
  assetPublicURL: https://ose3-master.example.com:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - name: htpasswd_auth
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: HTPasswdPasswordIdentityProvider
      file: /etc/origin/openshift-passwd
  masterCA: ca.crt
  masterPublicURL: https://ose3-master.example.com:8443
  masterURL: https://ose3-master.example.com:8443
  sessionConfig:
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: 
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500
policyConfig:
  bootstrapPolicyFile: /etc/origin/master/policy.json
  openshiftInfrastructureNamespace: openshift-infra
  openshiftSharedResourcesNamespace: openshift
projectConfig:
  defaultNodeSelector: "region=primary"
  projectRequestMessage: ""
  projectRequestTemplate: ""
  securityAllocator:
    mcsAllocatorRange: s0:/2
    mcsLabelsPerProject: 5
    uidAllocatorRange: 1000000000-1999999999/10000
routingConfig:
  subdomain:  "cloudapps.example.com"
serviceAccountConfig:
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: 0.0.0.0:8443
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
Comment 1 Erik M Jacobs 2015-10-24 14:53:42 EDT
OK, not entirely true:

oc describe policyBindings :default -n demo
Name:                                   :default
Created:                                About a minute ago
Labels:                                 <none>
Last Modified:                          2015-10-24 14:51:45 -0400 EDT
Policy:                                 <none>
RoleBinding[admins]:                     
                                        Role:                   admin
                                        Users:                  joe
                                        Groups:                 <none>
                                        ServiceAccounts:        <none>
                                        Subjects:               <none>
RoleBinding[system:deployers]:           
                                        Role:                   system:deployer
                                        Users:                  <none>
                                        Groups:                 <none>
                                        ServiceAccounts:        deployer
                                        Subjects:               <none>
RoleBinding[system:image-builders]:      
                                        Role:                   system:image-builder
                                        Users:                  <none>
                                        Groups:                 <none>
                                        ServiceAccounts:        builder
                                        Subjects:               <none>
RoleBinding[system:image-pullers]:       
                                        Role:                   system:image-puller
                                        Users:                  <none>
                                        Groups:                 system:serviceaccounts:demo
                                        ServiceAccounts:        <none>
                                        Subjects:               <none>


But still strange that "admins" can't create pods.. ?
Comment 3 Erik M Jacobs 2015-10-24 14:58:28 EDT
OK... not sure what's going on. At one point I wasn't able to create a pod as joe... but now I can. So this may not be reproducible...
Comment 4 David Eads 2015-10-26 08:55:39 EDT
Are you able to reproduce this problem?  With the steps you gave, I seem to be able to reliably create pods as the guy who created the project.
Comment 5 Erik M Jacobs 2015-10-27 01:18:22 EDT
I don't know what I did but whatever I did I couldn't reproduce it. I'll close for now and reopen if I figure out how to reproduce it.

Note You need to log in before you can comment on or make changes to this bug.