Description of problem: OCP v3.7 can be installed without service catalog enabled. But fail to be installed if that enabled, due to policy change https://github.com/openshift/origin/pull/15021. Current ansible installation of service catalog will fail with messages: ... "cmd": "oc get policybindings/kube-system:default -n kube-system ... ... the server doesn't have a resource type "policybindings" ... fatal: [<host name>]: FAILED! => { "changed": true, "cmd": [ "oc", "create", "policybinding", "kube-system", "-n", "kube-system" ] ... error: This command works only with server versions < 3.7.0, found v3.7.0-0.117.0 Now that the policy changes in v3.7, the ansible installation of service catalog should change accordingly too. Bug is reported because it affects new features testing related to service catalog in v3.7 Version-Release number of the following components: openshift v3.7.0-0.117.0 openshift-ansible-playbooks-3.7.0-0.117.0 How reproducible: Always Steps to Reproduce: 1. Install v3.7 service catalog via ansible Actual results: 1. It will fail as said above Expected results: 1. Should succeed Additional info:
Mo is this the same change we ported oc_* modules to accomodate? Can you advise on the proper new command?
On 3.7 or later, you should be creating RoleBinding.rbac.authorization.k8s.io objects. The RoleBinding.authorization.openshift.io will still work, but PolicyBinding is no longer required and shouldn't've been required later in 3.6 cycle.
@Scott this is a duplicate of https://github.com/openshift/openshift-ansible/issues/4956 @David I opened https://github.com/openshift/openshift-ansible/issues/5275 since migrating openshift-ansible to use RBAC will require various modules to be updated.
Adding keyword "TestBlocker" because the env installation failure blocks the test of new user stories about service catalog, such as the Complete cards: https://trello.com/c/Dk9IxmCH/ https://trello.com/c/UWgrj6bL/ https://trello.com/c/IlDIJAz2/ And other service catalog cards on board https://trello.com/b/nbkIrqKa/user-interface that are in "In Progress" list currently but would become "Complete" some time
Installed env via ansible with openshift v3.7.0-0.131.0 and openshift-ansible-3.7.0-0.128.0, the original issue in comment 0 is solved. openshift_enable_service_catalog set as true can successfully install service catalog env: # oc get pod -n kube-service-catalog NAME READY STATUS RESTARTS AGE apiserver-xp1kk 1/1 Running 0 1h controller-manager-wwdvm 1/1 Running 0 1h From this point, moving bug to VERIFIED
But have a question, from https://github.com/openshift/openshift-ansible/pull/5226, default "ansible_service_broker_install: false" is seen. This makes ansible does not create ansible service broker by default for the env (and thus no serviceclasses). Should it be better to make "ansible_service_broker_install" true by default?
The choice to make the default false was due to the fact that we can also install the "template_service_broker". If we wanted to install just the TSB that would require that we set "ansible_service_broker_install" to false and "template_service_broker_install" to true.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188