Description of problem: For CFME image scanning to work system:serviceaccount:management-infra:management-admin needs to in admin role in management-infra project. Without this role binding CFME image smaller receives following exception Q-task_id([9e028556-8e43-11e7-a1df-001a4a16018e]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#start) pod creation for [management-infra/manageiq-img-scan-9e028] failed: [HTTP status code 403, User "system:serviceaccount:management-infra:management-admin" cannot create pods in project "management-infra"] After executing following oc policy add-role-to-user admin system:serviceaccount:management-infra:management-admin Image scanning worked ok. management-infra project role bindings after fresh install [root@master01 ~]# oc get rolebindings NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin management-admin management-infra-admin /management-infra-admin management-admin system:deployer /system:deployer deployer system:image-builder /system:image-builder builder system:image-puller /system:image-puller system:serviceaccounts:management-infra role bindings should be NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin management-admin management-admin management-infra-admin /management-infra-admin management-admin system:deployer /system:deployer deployer system:image-builder /system:image-builder builder system:image-puller /system:image-puller system:serviceaccounts:management-infra Version-Release number of the following components: rpm -q openshift-ansible openshift-ansible-3.6.173.0.5-3.git.0.522a92a.el7.noarch rpm -q ansible ansible-2.3.1.0-3.el7.noarch ansible --version config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] How reproducible: Steps to Reproduce: 1. Install OCP 2. Add OCP as provider to CFME 3. Start OpenSCAP image scanning Actual results: Q-task_id([9e028556-8e43-11e7-a1df-001a4a16018e]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#start) pod creation for [management-infra/manageiq-img-scan-9e028] failed: [HTTP status code 403, User "system:serviceaccount:management-infra:management-admin" cannot create pods in project "management-infra"] Expected results: Scanning results should be stored to CFME Additional info: Please attach logs from ansible-playbook with the -vvv flag
Verify this bug with openshift-ansible-3.6.173.0.35-1.git.0.6c318bc.el7.noarch.rpm Set openshift_use_manageiq=true in ansible inventory file, check rolebindings under management-infra project after installation [root@ip-172-18-9-238 ~]# oc get rolebindings NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin management-admin management-admin system:deployer /system:deployer deployer system:image-builder /system:image-builder builder system:image-puller /system:image-puller system:serviceaccounts:management-infra
*** Bug 1496981 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2900