Document URL: https://docs.openshift.com/container-platform/3.3/install_config/upgrading/manual_upgrades.html#manual-upgrading-efk-logging-stack Section Number and Name: Upgrading the EFK Logging Stack Describe the issue: # oc project logging Now using project "logging" on server "https://master.example.com:8443". # oc apply -n openshift -f \ > /usr/share/openshift/examples/infrastructure-templates/enterprise/logging-deployer.yaml template "logging-deployer-account-template" configured template "logging-deployer-template" configured # oc process logging-deployer-account-template | oc apply -f - error: template "logging-deployer-account-template" could not be found error: no objects passed to apply # oc process logging-deployer-account-template -n openshift | oc apply -f - serviceaccount "logging-deployer" configured serviceaccount "aggregated-logging-kibana" configured serviceaccount "aggregated-logging-elasticsearch" configured serviceaccount "aggregated-logging-fluentd" configured serviceaccount "aggregated-logging-curator" configured clusterrole "oauth-editor" configured clusterrole "daemonset-admin" configured Error from server: RoleBinding "logging-deployer-edit-role" is invalid: roleRef: Invalid value: {"kind":"ClusterRole","name":"edit"}: cannot change roleRef Error from server: RoleBinding "logging-deployer-dsadmin-role" is invalid: roleRef: Invalid value: {"kind":"ClusterRole","name":"daemonset-admin"}: cannot change roleRef Suggestions for improvement: Adjust the item #3 upgrade command so that is does not give end users errors when running it as is from the documentation. Additional information:
Another comment, not sure if it should be a new BZ, but the 4th step.. # oadm policy add-cluster-role-to-user rolebinding-reader \ system:serviceaccount:logging:aggregated-logging-elasticsearch refers to a non-existent clusterrole. The logging-deployer-account-template does not create this clusterrole. Version of OCP: atomic-openshift-3.4.1.2-1.git.0.d760092.el7.x86_64
Hi @Takeshi, to be safe I went ahead and separated out the issue and logged a new bug just for that cluster role not existing: https://bugzilla.redhat.com/show_bug.cgi?id=1425621
Ah.. Thank you Eric. (In reply to Eric Jones from comment #2) > Hi @Takeshi, to be safe I went ahead and separated out the issue and logged > a new bug just for that cluster role not existing: > https://bugzilla.redhat.com/show_bug.cgi?id=1425621