Bug 1461856 - Support watching role bindings in the OpenShift REST API
Support watching role bindings in the OpenShift REST API
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
All All
unspecified Severity medium
: ---
: 3.7.0
Assigned To: Simo Sorce
Xiaoli Tian
Depends On:
  Show dependency treegraph
Reported: 2017-06-15 08:55 EDT by Roddie Kieley
Modified: 2018-01-07 09:50 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-01-07 09:50:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Github fabric8io/kubernetes-client/issues/775 None None None 2017-06-15 08:56 EDT

  None (edit)
Description Roddie Kieley 2017-06-15 08:55:03 EDT
Description of problem:

Watcher with resource RoleBinding not working:

oc get rolebinding -w              
NAME                    ROLE                    USERS       GROUPS                             SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  developer                                                          
system:deployers        /system:deployer                                                       deployer            
system:image-builders   /system:image-builder                                                  builder             
system:image-pullers    /system:image-puller                system:serviceaccounts:myproject                       
Error from server (NotFound): the server could not find the requested resource (get rolebindings)

That last error shows that the standard watch URL (e.g. https://openshiftapi/oapi/v1/watch/namespaces/myproject/rolebindings) doesn't exist for that resource kind.

Version-Release number of selected component (if applicable):

How reproducible:

All the time

Steps to Reproduce:
1. oc get rolebinding -w

Actual results:

Error from server (NotFound): the server could not find the requested resource (get rolebindings)

Expected results:

Being able to get and watch role bindings

Additional info:
Comment 1 Roddie Kieley 2017-06-15 09:00:04 EDT
Use-case is the following:

 - we provide egress functionality to customers in an automated way (egress: call external services either on the internet or in core it/company internal network, and this per tenant) 

- customer creates configmap with configuration, a controller listens to configmap changes and deploys a proxy (squid or haproxy) to a shadow project of the customers main project (this was necessary because of flexibility of nodeselector... service on internet -> proxy needs to be deployed on a node that has access to the internet, service in core it of specific customer -> deploy proxy to node that has access over vpn to that customers core it) 

- in order for the customer to see if the proxies are running or to have a look at the logs of the proxies, we give view rights on the shadow projects (everyone or every group that has any right on the main project is taken over to the shadow project as viewer only) 

- the controller I implemented creates the shadow project when the first proxy is needed (the projects are peered, meaning set netid on shadow project equal to the netid of the main project, by the way: netnamespace in openshift provides this and netnamespace does not exist in fabric8 client, I did an own implementation) 

- so when the shadow namespace is created, rolebindings are taken over as view 

- changes in rolebindings
Comment 2 Jordan Liggitt 2017-06-15 09:24:14 EDT
Watching roles and rolebindings will be supported once we collapse onto the kubernetes RBAC API types. That is currently planned for the 3.7-3.8 timeframe.
Comment 3 Roddie Kieley 2017-06-15 09:29:48 EDT
Thanks Jordan for the quick feedback on where this fits in the roadmap.
Comment 4 Roddie Kieley 2017-10-23 08:07:00 EDT
Do we know if this functionality is still on track for the 3.7 OCP release?
Comment 5 Simo Sorce 2017-10-24 12:48:18 EDT
In 3.7 we migrated to use Kubernetes RBAC, which is backed by actual objects. So watching RBAC Role Bindings should just work.
Comment 6 Roddie Kieley 2017-10-24 12:50:45 EDT
Thanks for the quick update, will see if things just work with the 3.7 release!
Comment 8 Simo Sorce 2018-01-07 09:50:13 EST
Shipped in GA

Note You need to log in before you can comment on or make changes to this bug.