Bug 1326281 - should create service account at same time or give a prompt if the specified sa is not exist when creating ipfailover pod
Summary: should create service account at same time or give a prompt if the specified ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.2.0
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Jacob Tanenbaum
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-12 10:36 UTC by zhaozhanqi
Modified: 2022-08-04 22:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-27 09:37:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 9618 0 None None None 2016-08-17 20:13:03 UTC
Red Hat Product Errata RHBA-2016:1933 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description zhaozhanqi 2016-04-12 10:36:24 UTC 
Description of problem:
Should create service account during creating ipfailver pod if the specified service account is not exist. or give a error message like "your specified service account is not exist" at least. 

for now if the service account is not exist or did not be add to scc privileged. ipfailover pod can be deployed but cannot be created on node.

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.2.0.14
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.5


How reproducible:
always

Steps to Reproduce:
1. Create ipfaiover pod using one non-exist service account
  oadm ipfailover ipf2  --virtual-ips="10.66.127.100-101" --credentials=/etc/origin/master/openshift-router.kubeconfig --replicas=2 -w 1936 --service-account=non-exist --images='brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-${component}:${version}' --create


Actual results:

step 1 will show "deploymentconfig "ipf2" created", but ipfailover pod cannot be created since no scc privileged for this service account

Expected results:
1. openshift can create service account at same time if not exist the user specified
2. if the service account is not add to scc privileged. should also give a prompt message

Additional info:
Comment 1 Jacob Tanenbaum 2016-08-10 17:38:20 UTC 
https://github.com/openshift/origin/pull/9618
Comment 2 Troy Dawson 2016-08-19 21:26:11 UTC 
This has been merged into ose and is in OSE v3.3.0.23 or newer.
Comment 4 zhaozhanqi 2016-08-22 06:00:09 UTC 
verified this bug on v3.3.0.23

# oadm ipfailover ipf --create --virtual-ips=10.66.137.100-101 --replicas=2 -w 80  --images='brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-keepalived-ipfailover:v3.3.0.23'error: ipfailover could not be created; service account "ipfailover" does not have sufficient privileges, grant access with oadm policy add-scc-to-user privileged -z ipfailover
Comment 6 errata-xmlrpc 2016-09-27 09:37:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933
Note You need to log in before you can comment on or make changes to this bug.