Description of problem: Have run ansible installation with the following related to router: # OpenShift Router Options # # An OpenShift router will be created during install if there are # nodes present with labels matching the default router selector, # "region=infra". Set openshift_node_labels per node as needed in # order to label nodes. # # Example: # [nodes] # node.example.com openshift_node_labels="{'region': 'infra'}" # # Router selector (optional) # Router will only be created if nodes matching this label are present. # Default value: 'region=infra' openshift_hosted_router_selector='region=infra' # # Router replicas (optional) # Unless specified, openshift-ansible will calculate the replica count # based on the number of nodes matching the openshift router selector. openshift_hosted_router_replicas=1 # # Router force subdomain (optional) # A router path format to force on all routes used by this router # (will ignore the route host value) #openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com' # # Router certificate (optional) # Provide local certificate paths which will be configured as the # router's default certificate. #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} # # Disable management of the OpenShift Router #openshift_hosted_manage_router=false Router has been deployed but in logs there were lots of messages: E0930 04:52:25.694754 1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster E0930 04:52:26.698282 1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster E0930 04:52:27.701666 1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster To stop this form being logged I have to update clusterrole adding services to a list of recources: oc edit clusterrole ... 2426 - apiVersion: v1 2427 kind: ClusterRole 2428 metadata: 2429 creationTimestamp: 2016-09-30T06:54:24Z 2430 name: system:router 2431 resourceVersion: "672" 2432 selfLink: /oapi/v1/clusterroles/system:router 2433 uid: b92dbade-86da-11e6-a72b-001a4a223a2b 2434 rules: 2435 - apiGroups: 2436 - "" 2437 attributeRestrictions: null 2438 resources: 2439 - endpoints 2440 - routes 2441 - services 2442 verbs: 2443 - list 2444 - watch 2445 - apiGroups: 2446 - "" 2447 attributeRestrictions: null 2448 resources: 2449 - routes/status 2450 verbs: 2451 - update ... Version-Release number of selected component (if applicable): 3.3 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Does this seem to actually create any problems?
It looks like the service fetching was added to support idling mechanics. Solly, can you comment on the impact here?
It should just prevent using unidling, and log messages. The router should continue to work fine for "normal" operation. The policy *should* also be part of the default cluster policy. Did the default policy not include allowing the router to list services?
We need a 'more permissive' router service account to support the F5 integration (it needs access to nodes). Rajat, Solly, can we work out one policy here?
default router role already allows listing/watching services
And listing/watching nodes (to address eparis' comment) Yet the tests are sometimes flaking with: Oct 28 14:12:54 ip-172-18-15-109.ec2.internal dockerd-current[2180]: E1028 18:12:54.208082 1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:extended-test-scoped-router-j2yjk-6fq93:default" cannot list all services in the cluster Despite that test case doing: err := oc.AsAdmin().Run("policy").Args("add-role-to-user", "system:router", oc.Username()).Execute()
Ah, should have been add-cluster-role-to-user. Rajat has posted a PR to fix it.
Can't be modified until we merge.
virified this bug on openshift v3.4.0.21+ca4702d kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 name: system:router resourceVersion: "40" selfLink: /oapi/v1/clusterroles/system:router uid: 7bbe1231-a249-11e6-bd71-42010af00003 rules: - apiGroups: - "" attributeRestrictions: null resources: - endpoints verbs: - list - watch - apiGroups: - "" attributeRestrictions: null resources: - services verbs: - list - watch - apiGroups:
The bug is fixed. Needinfo cleared. The earlier policy was not cluster wide, hence the errors.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066