Description of problem: Since the resources of servicecatalog api group are renamed, so the controller-manager can not work due to policy issue when we use v3.7 image of service-catalog. Version-Release number of the following components: openshift v3.7.0-0.131.0 and openshift-ansible-3.7.0-0.131.0 How reproducible: Steps to Reproduce: 1. Install v3.7 service catalog via ansible 2. 3. Actual results: #oc logs controller-manager-s7msh -n kube-service-catalog ...... I0928 04:37:02.744493 1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstance from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 E0928 04:37:02.745017 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstance: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstances.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstances.servicecatalog.k8s.io in the cluster (get servicein^Cstances.servicecatalog.k8s.io) I0928 04:37:03.742732 1 reflector.go:236] Listing and watching *v1alpha1.ServiceBroker from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 E0928 04:37:03.743615 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceBroker: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all servicebrokers.servicecatalog.k8s.io in the cluster (get servicebrokers.servicecatalog.k8s.io) I0928 04:37:03.744097 1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstanceCredential from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 E0928 04:37:03.744557 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstanceCredential: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstancecredentials.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstancecredentials.servicecatalog.k8s.io in the cluster (get serviceinstancecredentials.servicecatalog.k8s.io) I0928 04:37:03.745119 1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstance from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 E0928 04:37:03.745622 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstance: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstances.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstances.servicecatalog.k8s.io in the cluster (get serviceinstances.servicecatalog.k8s.io) I0928 04:37:04.102845 1 leaderelection.go:204] successfully renewed lease kube-service-catalog/service-catalog-controller-manager I0928 04:37:04.743792 1 reflector.go:236] Listing and watching *v1alpha1.ServiceBroker from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 I0928 04:37:04.744750 1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstanceCredential from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61 E0928 04:37:04.744988 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceBroker: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all servicebrokers.servicecatalog.k8s.io in the cluster (get servicebrokers.servicecatalog.k8s.io) E0928 04:37:04.745406 1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstanceCredential: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstancecredentials.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstancecredentials.servicecatalog.k8s.io in the cluster (get serviceinstancecredentials.servicecatalog.k8s.io) ...... Expected results: Should not got policy error after installation. Additional info: Please attach logs from ansible-playbook with the -vvv flag
The card will block all the service-catalog related testing for v3.7 since the resource name is changed. And for now we have to grant the related user/sa with cluster-admin as a workaround.
https://github.com/openshift/openshift-ansible/pull/5746
Checked with openshift-ansible-3.7.0-0.174.0.git.0.01932ad.el7.noarch.rpm, and found that cluster admin and edit is still using the old name. # oc get clusterrole admin -o yaml |grep -A 20 -B 1 -i servicecatalog - apiGroups: - servicecatalog.k8s.io attributeRestrictions: null resources: - bindings - instances verbs: - create - delete - get - list - update - watch - apiGroups: - settings.k8s.io attributeRestrictions: null resources: - podpresets verbs: - create - delete - get # oc get clusterrole edit -o yaml |grep -A 20 -B 1 -i servicecatalog - apiGroups: - servicecatalog.k8s.io attributeRestrictions: null resources: - bindings - instances verbs: - create - delete - get - list - update - watch - apiGroups: - settings.k8s.io attributeRestrictions: null resources: - podpresets verbs: - create - delete - get TASK [openshift_service_catalog : Generate apply template for clusterrole/edit] *** Monday 23 October 2017 07:50:34 +0000 (0:00:00.546) 0:12:10.451 ******** changed: [host-xxxxxx] => {"changed": true, "checksum": "0e40a1cffb1db2144c98464a75ef5cfddaaedc5e", "dest": "/tmp/openshift-service-catalog-ansible-RKMkF5/edit_sc_patch.yml", "failed": false, "gid": 0, "group": "root", "md5sum": "a1841d2c062ff5a6da52b26e9ac1b025", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 5629, "src": "/root/.ansible/tmp/ansible-tmp-1508745035.06-202443114384748/source", "state": "file", "uid": 0} TASK [openshift_service_catalog : Generate apply template for clusterrole/admin] *** Monday 23 October 2017 07:50:36 +0000 (0:00:00.514) 0:12:12.100 ******** changed: [host-xxxxxx] => {"changed": true, "checksum": "badd0104a447eb9e2903cce2bb1f006b3f944b64", "dest": "/tmp/openshift-service-catalog-ansible-RKMkF5/admin_sc_patch.yml", "failed": false, "gid": 0, "group": "root", "md5sum": "a1d407f963f44429e77fd614f2127133", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 6949, "src": "/root/.ansible/tmp/ansible-tmp-1508745036.73-275476748680638/source", "state": "file", "uid": 0}
https://github.com/openshift/openshift-ansible/pull/5840
Will give a try after https://bugzilla.redhat.com/show_bug.cgi?id=1496426 fixed.
Verified and passed on Brew v3.7.0-0.189.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188