Description of problem: see the following details. Version-Release number of selected component (if applicable): openshift-ansible-3.5.28-1.git.0.103513e.el7.noarch How reproducible: Always Steps to Reproduce: 1. setup env with routers sharded with NAMESPACE_LABELS setting openshift_hosted_routers=[{"name": "router", "replicas": 1, "serviceaccount": "router", "namespace": "default", "stats_port": 1936, "images": "registry.xxx.xxx.com/openshift3/ose-${component}:${version}", "edits": [{"action": "append", "key": "spec.template.spec.containers[0].env", "value": {"name": "NAMESPACE_LABELS", "value": "n=install-test"}}], "certificates": {}, "selector": "role=node,router=enabled", "ports": ["8080:8080", "443:443"]}] 2. new a project, then add label to it. # oc new-project install-test # oc label namespace n=install-test 3. create an app in install-test project, and expose a route for the app. Actual results: Try to access the app's web page, is not available. Go to router log, found the following error: [root@ip-172-18-4-19 ~]# oc logs router-3-qkflk I0313 09:59:13.455777 1 router.go:475] Router reloaded: - Checking HAProxy /healthz on port 1936 ... - HAProxy port 1936 health check ok : 0 retry attempt(s). I0313 09:59:13.455860 1 router.go:228] Router is only using routes in namespaces matching n=install-test E0313 09:59:13.477527 1 controller.go:163] unable to find namespaces for router: User "system:serviceaccount:default:router" cannot list all namespaces in the cluster E0313 09:59:23.481816 1 controller.go:163] unable to find namespaces for router: User "system:serviceaccount:default:router" cannot list all namespaces in the cluster Expected results: Installer should do do that when setting up router with NAMESPACE_LABELS setting. Additional info: According to https://bugzilla.redhat.com/show_bug.cgi?id=1332510#c1, need an extra step. # oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router After add the above permission, app's url is available.
Kenny, Is this applicable to the sharded router use case that's currently used in online?
I think this is caused by creating the serviceaccount outside of the oc_adm_router. I have removed the dependency in this PR: https://github.com/openshift/openshift-ansible/pull/3635 This will allow the oc adm router call to correctly setup the serviceaccount and the scc.
https://github.com/openshift/openshift-ansible/pull/3648 backport to release-1.5
(In reply to Kenny Woodson from comment #2) > I think this is caused by creating the serviceaccount outside of the > oc_adm_router. I have removed the dependency in this PR: > https://github.com/openshift/openshift-ansible/pull/3635 > > This will allow the oc adm router call to correctly setup the serviceaccount > and the scc. Re-test this but with openshift-ansible-3.5.32-1.git.0.42cf266.el7.noarch, still reproduced. Even if call "oc adm router" command, it will not add "cluster-reader" permission to router serviceaccount, have to manually run the command to add the permission. That is why BZ#1332510 is fixed by a doc patch.
Proposed: https://github.com/openshift/openshift-ansible/pull/3650
Merged: https://github.com/openshift/openshift-ansible/pull/3650
Additional changes merged from comment 7, ON_QA
Verified this bug with openshift-ansible-3.6.3-1.git.0.622449e.el7.noarch.rpm, and PASS. After installation, check: # oc get clusterrolebinding|grep router cluster-readers /cluster-reader system:cluster-readers management-infra/management-admin, default/router router with NAMESPACE_LABELS setting is working well.