Bug 1380669 – "system:serviceaccount:default:router" cannot list all services in the cluster

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1380669 - "system:serviceaccount:default:router" cannot list all services in the cluster

Summary:	"system:serviceaccount:default:router" cannot list all services in the cluster

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Routing (Show other bugs)
Sub Component:
Version:	3.3.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Rajat Chopra
QA Contact:	zhaozhanqi
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-09-30 05:56 EDT by Alexander Koksharov
Modified:	2017-03-08 13 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The role has always been able to list the services in a cluster. But the role has to be enabled cluster-wide. The tests that were using this role in limited scope have been fixed to use it across the cluster.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-01-18 07:41:52 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Origin (Github)	11649	None	None	None	2016-11-01 11:41 EDT
Origin (Github)	11713	None	None	None	2016-11-01 15:58 EDT
Red Hat Product Errata	RHBA-2017:0066	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.4 RPM Release Advisory	2017-01-18 12:23:26 EST

Groups: None (edit)

Description Alexander Koksharov 2016-09-30 05:56:23 EDT

Description of problem:

Have run ansible installation with the following related to router: 

# OpenShift Router Options
#
# An OpenShift router will be created during install if there are
# nodes present with labels matching the default router selector,
# "region=infra". Set openshift_node_labels per node as needed in
# order to label nodes.
#
# Example:
# [nodes]
# node.example.com openshift_node_labels="{'region': 'infra'}"
#
# Router selector (optional)
# Router will only be created if nodes matching this label are present.
# Default value: 'region=infra'
openshift_hosted_router_selector='region=infra'
#
# Router replicas (optional)
# Unless specified, openshift-ansible will calculate the replica count
# based on the number of nodes matching the openshift router selector.
openshift_hosted_router_replicas=1
#
# Router force subdomain (optional)
# A router path format to force on all routes used by this router
# (will ignore the route host value)
#openshift_hosted_router_force_subdomain='${name}-${namespace}.apps.example.com'
#
# Router certificate (optional)
# Provide local certificate paths which will be configured as the
# router's default certificate.
#openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"}
#
# Disable management of the OpenShift Router
#openshift_hosted_manage_router=false


Router has been deployed but in logs there were lots of messages:

E0930 04:52:25.694754       1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster
E0930 04:52:26.698282       1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster
E0930 04:52:27.701666       1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:default:router" cannot list all services in the cluster

To stop this form being logged I have to update clusterrole adding services to a list of recources:
oc edit clusterrole
...
   2426 - apiVersion: v1
   2427   kind: ClusterRole
   2428   metadata:
   2429     creationTimestamp: 2016-09-30T06:54:24Z
   2430     name: system:router
   2431     resourceVersion: "672"
   2432     selfLink: /oapi/v1/clusterroles/system:router
   2433     uid: b92dbade-86da-11e6-a72b-001a4a223a2b
   2434   rules:
   2435   - apiGroups:
   2436     - ""
   2437     attributeRestrictions: null
   2438     resources:
   2439     - endpoints
   2440     - routes
   2441     - services
   2442     verbs:
   2443     - list
   2444     - watch
   2445   - apiGroups:
   2446     - ""
   2447     attributeRestrictions: null
   2448     resources:
   2449     - routes/status
   2450     verbs:
   2451     - update
...

Version-Release number of selected component (if applicable):
3.3

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Scott Dodson 2016-10-04 11:08:59 EDT

Does this seem to actually create any problems?

Comment 2 Paul Weil 2016-10-05 08:40:32 EDT

It looks like the service fetching was added to support idling mechanics. Solly, can you comment on the impact here?

Comment 3 Solly Ross 2016-10-05 10:18:08 EDT

It should just prevent using unidling, and log messages.  The router should continue to work fine for "normal" operation.  The policy *should* also be part of the default cluster policy.  Did the default policy not include allowing the router to list services?

Comment 4 Eric Paris 2016-10-26 17:46:28 EDT

We need a 'more permissive' router service account to support the F5 integration (it needs access to nodes). Rajat, Solly, can we work out one policy here?

Comment 5 Jordan Liggitt 2016-11-01 12:50:25 EDT

default router role already allows listing/watching services

Comment 6 Ben Bennett 2016-11-01 15:20:54 EDT

And listing/watching nodes (to address eparis' comment)

Yet the tests are sometimes flaking with:
  Oct 28 14:12:54 ip-172-18-15-109.ec2.internal dockerd-current[2180]: E1028 18:12:54.208082       1 reflector.go:203] github.com/openshift/origin/pkg/router/template/service_lookup.go:30: Failed to list *api.Service: User "system:serviceaccount:extended-test-scoped-router-j2yjk-6fq93:default" cannot list all services in the cluster

Despite that test case doing:
  err := oc.AsAdmin().Run("policy").Args("add-role-to-user", "system:router", oc.Username()).Execute()

Comment 7 Ben Bennett 2016-11-01 15:57:00 EDT

Ah, should have been add-cluster-role-to-user.

Rajat has posted a PR to fix it.

Comment 8 Ben Bennett 2016-11-02 09:56:45 EDT

Can't be modified until we merge.

Comment 10 zhaozhanqi 2016-11-04 06:46:36 EDT

virified this bug on 
openshift v3.4.0.21+ca4702d
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0




name: system:router
  resourceVersion: "40"
  selfLink: /oapi/v1/clusterroles/system:router
  uid: 7bbe1231-a249-11e6-bd71-42010af00003
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - endpoints
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - services
  verbs:
  - list
  - watch
- apiGroups:

Comment 11 Rajat Chopra 2016-11-07 12:42:08 EST

The bug is fixed. Needinfo cleared. The earlier policy was not cluster wide, hence the errors.

Comment 13 errata-xmlrpc 2017-01-18 07:41:52 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066

Note You need to log in before you can comment on or make changes to this bug.