Bug 1486623 - Service catalog cannot be installed in v3.7 due to policy change
Summary: Service catalog cannot be installed in v3.7 due to policy change
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.0
Assignee: ewolinet
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2017-08-30 09:30 UTC by Xingxing Xia
Modified: 2017-11-28 22:08 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Policy binding policy changed from OCP v3.6 to v3.7 Consequence: The playbook fails to install when trying to create policy bindings. Fix: Remove the policy bindings for 3.7 as they are no longer needed. Result: The playbook successfully completes and installs the service catalog.
Clone Of:
Last Closed: 2017-11-28 22:08:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Xingxing Xia 2017-08-30 09:30:39 UTC
Description of problem:
OCP v3.7 can be installed without service catalog enabled.
But fail to be installed if that enabled, due to policy change https://github.com/openshift/origin/pull/15021.
Current ansible installation of service catalog will fail with messages:
... "cmd": "oc get policybindings/kube-system:default -n kube-system ...
... the server doesn't have a resource type "policybindings"
fatal: [<host name>]: FAILED! => {
    "changed": true,
    "cmd": [
... error: This command works only with server versions < 3.7.0, found v3.7.0-0.117.0

Now that the policy changes in v3.7, the ansible installation of service catalog should change accordingly too.
Bug is reported because it affects new features testing related to service catalog in v3.7

Version-Release number of the following components:
openshift v3.7.0-0.117.0

How reproducible:

Steps to Reproduce:
1. Install v3.7 service catalog via ansible

Actual results:
1. It will fail as said above

Expected results:
1. Should succeed

Additional info:

Comment 1 Scott Dodson 2017-08-30 12:23:39 UTC
Mo is this the same change we ported oc_* modules to accomodate? Can you advise on the proper new command?

Comment 2 David Eads 2017-08-30 12:42:15 UTC
On 3.7 or later, you should be creating RoleBinding.rbac.authorization.k8s.io objects.  The RoleBinding.authorization.openshift.io will still work, but PolicyBinding is no longer required and shouldn't've been required later in 3.6 cycle.

Comment 3 Mo 2017-08-30 22:23:14 UTC
@Scott this is a duplicate of https://github.com/openshift/openshift-ansible/issues/4956

@David I opened https://github.com/openshift/openshift-ansible/issues/5275 since migrating openshift-ansible to use RBAC will require various modules to be updated.

Comment 4 Xingxing Xia 2017-08-31 06:22:40 UTC
Adding keyword "TestBlocker" because the env installation failure blocks the test of new user stories about service catalog, such as the Complete cards:

And other service catalog cards on board https://trello.com/b/nbkIrqKa/user-interface that are in "In Progress" list currently but would become "Complete" some time

Comment 6 Xingxing Xia 2017-09-27 08:08:23 UTC
Installed env via ansible with openshift v3.7.0-0.131.0 and openshift-ansible-3.7.0-0.128.0, the original issue in comment 0 is solved. openshift_enable_service_catalog set as true can successfully install service catalog env:
# oc get pod -n kube-service-catalog
NAME                       READY     STATUS    RESTARTS   AGE
apiserver-xp1kk            1/1       Running   0          1h
controller-manager-wwdvm   1/1       Running   0          1h

From this point, moving bug to VERIFIED

Comment 7 Xingxing Xia 2017-09-27 08:13:47 UTC
But have a question, from https://github.com/openshift/openshift-ansible/pull/5226, default "ansible_service_broker_install: false" is seen. This makes ansible does not create ansible service broker by default for the env (and thus no serviceclasses).

Should it be better to make "ansible_service_broker_install" true by default?

Comment 8 ewolinet 2017-09-27 14:16:11 UTC
The choice to make the default false was due to the fact that we can also install the "template_service_broker". 

If we wanted to install just the TSB that would require that we set "ansible_service_broker_install" to false and "template_service_broker_install" to true.

Comment 11 errata-xmlrpc 2017-11-28 22:08:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.