Description of problem: Upgrading from 3.4 to 3.5 (3.5.5.15), we've hit the following error. TASK [Reconcile Security Context Constraints] ********************************** fatal: [SQY05TM001]: FAILED! => { "changed": false, "cmd": [ "oc", "adm", "policy", "reconcile-sccs", "--confirm", "--additive-only=true", "-o", "name" ], "delta": "0:00:00.158302", "end": "2017-07-07 11:50:36.765357", "failed": true, "rc": 1, "start": "2017-07-07 11:50:36.607055", "warnings": [] } STDERR: error: openshift-infra is not a valid namespace See 'oc adm policy reconcile-sccs -h' for help and examples. When user is not system:admin the above issue is faced to resolve this we have to manually add perform : cp -f /etc/origin/master/admin.kubeconfig /home/wnradm/.kube/config oc whoami system:admin Version-Release number of the following components: How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: It fails to upgrade if the user is not system:admin Expected results: It should run independent of which user is logged in Additional info: PR : https://github.com/openshift/openshift-ansible/pull/4710
https://github.com/openshift/openshift-ansible/pull/4709
Failed to Drian node when the default user is a normal user TASK [Drain Node for Kubelet upgrade] ****************************************** fatal: [openshift-217.lab.eng.nay.redhat.com -> openshift-181.lab.eng.nay.redhat.com]: FAILED! => { "changed": true, "cmd": [ "oadm", "drain", "openshift-217.lab.eng.nay.redhat.com", "--force", "--delete-local-data", "--ignore-daemonsets" ], "delta": "0:00:00.338681", "end": "2017-07-18 02:40:32.096593", "failed": true, "rc": 1, "start": "2017-07-18 02:40:31.757912", "warnings": [] } STDERR: Error from server (Forbidden): User "anli" cannot get nodes at the cluster scope
More changes merged.
Scott, which puddle/branch can I use? atomic-openshift-utils-3.6.162-1.git.0.50e29bd.el7.noarch still fail to drain nodes. fatal: [openshift-217.lab.eng.nay.redhat.com -> openshift-181.lab.eng.nay.redhat.com]: FAILED! => { "attempts": 60, "changed": true, "cmd": [ "oadm", "drain", "openshift-217.lab.eng.nay.redhat.com", "--force", "--delete-local-data", "--ignore-daemonsets" ], "delta": "0:00:00.338451", "end": "2017-07-24 00:26:06.314641", "failed": true, "rc": 1, "start": "2017-07-24 00:26:05.976190", "warnings": [] } STDERR: Error from server (Forbidden): User "anli" cannot get nodes at the cluster scope NO MORE HOSTS LEFT ************************************************************* NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_6/upgrade.retry
The next puddle will have it, 3.6.168 or later when it becomes available. I had to add a commit for this fix today. Moving back to MODIFIED until we have a new build.
changes in v3.6.169
Failed on atomic-openshift-utils-3.6.171-1.git.0.9d04eee.el7.noarch failed: [openshift-181.lab.eng.nay.redhat.com] (item=/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json) => { "changed": false, "cmd": [ "oc", "create", "-n", "openshift", "-f", "/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json" ], "delta": "0:00:00.306632", "end": "2017-07-27 23:45:44.090470", "failed": true, "failed_when_result": true, "item": "/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json", "rc": 1, "start": "2017-07-27 23:45:43.783838", "warnings": [] } STDERR: Error from server (Forbidden): User "anli" cannot create imagestreams in project "openshift"
The change was missed on release-3.6 branch, I've verified that there's no diffs between master and releae-3.6 after this pull request https://github.com/openshift/openshift-ansible/pull/4924
Pass in atomic-openshift-utils-3.6.173.0.0-1.git.0.18ecb68.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716