Bug 1487648 - Installer does not add management-admin service account to management-infra project admin role
Summary: Installer does not add management-admin service account to management-infra p...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.6.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.6.z
Assignee: ewolinet
QA Contact: Gaoyun Pei
URL:
Whiteboard:
: 1496981 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-01 13:32 UTC by Tero Ahonen
Modified: 2017-10-24 14:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The service account wasn't being added for the admin role Consequence: The service account didn't have correct permissions Fix: Updated so the service account was added for the admin role Result: Service account has correct permissions.
Clone Of:
Environment:
Last Closed: 2017-10-17 11:45:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2900 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix and enhancement 2017-10-17 15:44:50 UTC

Description Tero Ahonen 2017-09-01 13:32:39 UTC
Description of problem:
For CFME image scanning to work system:serviceaccount:management-infra:management-admin needs to in admin role in management-infra project. Without this role binding CFME image smaller receives following exception

Q-task_id([9e028556-8e43-11e7-a1df-001a4a16018e]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#start) pod creation for [management-infra/manageiq-img-scan-9e028] failed: [HTTP status code 403, User "system:serviceaccount:management-infra:management-admin" cannot create pods in project "management-infra"]

After executing following 

oc policy add-role-to-user admin system:serviceaccount:management-infra:management-admin

Image scanning worked ok.

management-infra project role bindings after fresh install

[root@master01 ~]# oc get rolebindings
NAME                     ROLE                      USERS              GROUPS                                    SERVICE ACCOUNTS   SUBJECTS
admin                    /admin                    management-admin                                                                
management-infra-admin   /management-infra-admin   management-admin                                                                
system:deployer          /system:deployer                                                                       deployer           
system:image-builder     /system:image-builder                                                                  builder            
system:image-puller      /system:image-puller                         system:serviceaccounts:management-infra                    
 
role bindings should be 

NAME                     ROLE                      USERS              GROUPS                                    SERVICE ACCOUNTS   SUBJECTS
admin                    /admin                    management-admin                                             management-admin   
management-infra-admin   /management-infra-admin   management-admin                                                                
system:deployer          /system:deployer                                                                       deployer           
system:image-builder     /system:image-builder                                                                  builder            
system:image-puller      /system:image-puller                         system:serviceaccounts:management-infra 



Version-Release number of the following components:
rpm -q openshift-ansible 
openshift-ansible-3.6.173.0.5-3.git.0.522a92a.el7.noarch
rpm -q ansible 
ansible-2.3.1.0-3.el7.noarch
ansible --version
config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
How reproducible:

Steps to Reproduce:
1. Install OCP
2. Add OCP as provider to CFME
3. Start OpenSCAP image scanning

Actual results:
Q-task_id([9e028556-8e43-11e7-a1df-001a4a16018e]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#start) pod creation for [management-infra/manageiq-img-scan-9e028] failed: [HTTP status code 403, User "system:serviceaccount:management-infra:management-admin" cannot create pods in project "management-infra"]

Expected results:
Scanning results should be stored to CFME

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 4 Gaoyun Pei 2017-09-19 08:14:47 UTC
Verify this bug with openshift-ansible-3.6.173.0.35-1.git.0.6c318bc.el7.noarch.rpm

Set openshift_use_manageiq=true in ansible inventory file, check rolebindings under management-infra project after installation

[root@ip-172-18-9-238 ~]# oc get rolebindings
NAME                   ROLE                    USERS              GROUPS                                    SERVICE ACCOUNTS   SUBJECTS
admin                  /admin                  management-admin                                             management-admin   
system:deployer        /system:deployer                                                                     deployer           
system:image-builder   /system:image-builder                                                                builder            
system:image-puller    /system:image-puller                       system:serviceaccounts:management-infra

Comment 5 Tim Bielawa 2017-10-16 15:51:09 UTC
*** Bug 1496981 has been marked as a duplicate of this bug. ***

Comment 7 errata-xmlrpc 2017-10-17 11:45:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2900


Note You need to log in before you can comment on or make changes to this bug.