Created attachment 1141151 [details] deployer_pod_log Problem description: Get error when creating logging-elasticsearch secret in logging deployer pod with latest images, error message: Creating secrets + : + echo 'Creating secrets' + oc secrets new logging-elasticsearch key=/etc/deploy/keystore.jks truststore=/etc/deploy/truststore.jks searchguard.key=/etc/deploy/searchguard_node_key.key admin-key=/etc/deploy/system.admin.key admin-cert=/etc/deploy/system.admin.crt admin-ca=/etc/deploy/ca.crt Error from server: User "system:serviceaccount:logging:logging-deployer" cannot create secrets in project "default" Version-Release number of selected component (if applicable): brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/logging-deployment latest b141364bfe06 16 hours ago 598.3 MB How reproducible: Always Steps to Reproduce: 1. Login openshift, create a project oc new-project logging 2. Create supporting service account and deployer secrets oc create -f - <<API apiVersion: v1 kind: ServiceAccount metadata: name: logging-deployer secrets: - name: logging-deployer API oc secrets new logging-deployer nothing=/dev/null oc policy add-role-to-user edit system:serviceaccount:logging:logging-deployer #Note: need 'cluster-admin' role to run below commands oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:logging:aggregated-logging-fluentd oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd 3. Run the deployer: wget https://raw.githubusercontent.com/openshift/origin-aggregated-logging/master/deployment/deployer.yaml oc process -f deployer.yaml -v IMAGE_PREFIX=${image_prefix},\ KIBANA_HOSTNAME=${kibana_route},\ PUBLIC_MASTER_URL=https://${master_dns}:8443,\ ES_INSTANCE_RAM=1024M,\ ES_CLUSTER_SIZE=1,\ | oc create -f - 4. Check the deployer pod status Actual Result: Deployer pod failed by error: # oc get po -n logging NAME READY STATUS RESTARTS AGE logging-deployer-m8fa1 0/1 Error 0 40m # oc logs -f logging-deployer-vbo0t -n !$ ... Creating secrets + : + echo 'Creating secrets' + oc secrets new logging-elasticsearch key=/etc/deploy/keystore.jks truststore=/etc/deploy/truststore.jks searchguard.key=/etc/deploy/searchguard_node_key.key admin-key=/etc/deploy/system.admin.key admin-cert=/etc/deploy/system.admin.crt admin-ca=/etc/deploy/ca.crt Error from server: User "system:serviceaccount:logging:logging-deployer" cannot create secrets in project "default" Expected Result: Deployer pod should complete successfully Additional info: Full log attached
Hi Eric, Yes, I have the secret 'logging-deployer' in the logging project: # oc get secret -n logging | grep logging-deployer logging-deployer Opaque 1 41m logging-deployer-dockercfg-yzef7 kubernetes.io/dockercfg 1 40m logging-deployer-token-26ccs kubernetes.io/service-account-token 3 40m logging-deployer-token-eqi1t kubernetes.io/service-account-token 3 40m I apologize for pasting inconsistent pod names in bug report, it's my mistake. I did all operations against logging project, and I was not working with the default project. The description in "Actual Result" part should be: $ oc get po -n logging NAME READY STATUS RESTARTS AGE logging-deployer-go1if 0/1 Error 0 31m $ oc logs -f logging-deployer-go1if -n logging <--snip--> Creating secrets + : + echo 'Creating secrets' + oc secrets new logging-elasticsearch key=/etc/deploy/keystore.jks truststore=/etc/deploy/truststore.jks searchguard.key=/etc/deploy/searchguard_node_key.key admin-key=/etc/deploy/system.admin.key admin-cert=/etc/deploy/system.admin.crt admin-ca=/etc/deploy/ca.crt Error from server: User "system:serviceaccount:xiazhao:logging-deployer" cannot create secrets in project "default" After doing "oadm policy add-role-to-user cluster-admin system:serviceaccount:logging:logging-deployer" on master machine, the logging deployer can complete successfully. So this seemed like the same doc issue as https://bugzilla.redhat.com/show_bug.cgi?id=1321533, please feel free to set the status to ON_QA, and I will close it then.
Set to verified according to comment #2. Thank you for your time spent here, Eric.
No, we shouldn't be giving cluster-admin to the deployer. The deployer should only need "edit" on the project. I think the problem here was that you were getting the "latest" image which happened to be the pre-release 3.1.1 with the problem in https://bugzilla.redhat.com/show_bug.cgi?id=1322245 In testing you'll probably want to be specific about the version of the deployer. I just built a new version of the deployer, 3.2.0-4 - can you verify that specifically is working?
Changed back to give edit role to serivce account: oc policy add-role-to-user edit system:serviceaccount:logging:logging-deployer And tested with deployer image 3.2.0-4, it's fixed. Thanks Luke.
Closing this bug as it was fixed before release.