Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1496694

Summary: cluster role need update to track current resources name of servicecatalog api group for v3.7
Product: OpenShift Container Platform Reporter: weiwei jiang <wjiang>
Component: Service BrokerAssignee: Matthew Staebler <mstaeble>
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: high Docs Contact:
Priority: high    
Version: 3.7.0CC: aos-bugs, bleanhar, chezhang, ewolinet, jmatthew, jokerman, jpeeler, mmccomas, pmorie, sdodson, wmeng, xiuwang, xtian, xxia
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:13:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description weiwei jiang 2017-09-28 07:21:58 UTC 
Description of problem:
Since the resources of servicecatalog api group are renamed, so the controller-manager can not work due to policy issue when we use v3.7 image of service-catalog.

Version-Release number of the following components:
openshift v3.7.0-0.131.0 and openshift-ansible-3.7.0-0.131.0

How reproducible:

Steps to Reproduce:
1. Install v3.7 service catalog via ansible
2.
3.

Actual results:

#oc logs controller-manager-s7msh  -n kube-service-catalog
......
I0928 04:37:02.744493       1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstance from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
E0928 04:37:02.745017       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstance: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstances.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstances.servicecatalog.k8s.io in the cluster (get servicein^Cstances.servicecatalog.k8s.io)
I0928 04:37:03.742732       1 reflector.go:236] Listing and watching *v1alpha1.ServiceBroker from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
E0928 04:37:03.743615       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceBroker: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all servicebrokers.servicecatalog.k8s.io in the cluster (get servicebrokers.servicecatalog.k8s.io)
I0928 04:37:03.744097       1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstanceCredential from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
E0928 04:37:03.744557       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstanceCredential: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstancecredentials.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstancecredentials.servicecatalog.k8s.io in the cluster (get serviceinstancecredentials.servicecatalog.k8s.io)
I0928 04:37:03.745119       1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstance from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
E0928 04:37:03.745622       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstance: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstances.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstances.servicecatalog.k8s.io in the cluster (get serviceinstances.servicecatalog.k8s.io)
I0928 04:37:04.102845       1 leaderelection.go:204] successfully renewed lease kube-service-catalog/service-catalog-controller-manager
I0928 04:37:04.743792       1 reflector.go:236] Listing and watching *v1alpha1.ServiceBroker from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
I0928 04:37:04.744750       1 reflector.go:236] Listing and watching *v1alpha1.ServiceInstanceCredential from github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61
E0928 04:37:04.744988       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceBroker: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all servicebrokers.servicecatalog.k8s.io in the cluster (get servicebrokers.servicecatalog.k8s.io)
E0928 04:37:04.745406       1 reflector.go:201] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:61: Failed to list *v1alpha1.ServiceInstanceCredential: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list serviceinstancecredentials.servicecatalog.k8s.io at the cluster scope: User "system:serviceaccount:kube-service-catalog:service-catalog-controller" cannot list all serviceinstancecredentials.servicecatalog.k8s.io in the cluster (get serviceinstancecredentials.servicecatalog.k8s.io)
......

Expected results:
Should not got policy error after installation.

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 1 weiwei jiang 2017-09-29 08:00:53 UTC 
The card will block all the service-catalog related testing for v3.7 since the resource name is changed.

And for now we have to grant the related user/sa with cluster-admin as a workaround.
Comment 3 Matthew Staebler 2017-10-13 05:09:20 UTC 
https://github.com/openshift/openshift-ansible/pull/5746
Comment 5 weiwei jiang 2017-10-23 09:44:37 UTC 
Checked with openshift-ansible-3.7.0-0.174.0.git.0.01932ad.el7.noarch.rpm, and found that cluster admin and edit is still using the old name.


# oc get clusterrole admin -o yaml |grep -A 20 -B 1  -i servicecatalog
- apiGroups:
  - servicecatalog.k8s.io
  attributeRestrictions: null
  resources:
  - bindings
  - instances
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - settings.k8s.io
  attributeRestrictions: null
  resources:
  - podpresets
  verbs:
  - create
  - delete
  - get

# oc get clusterrole edit -o yaml |grep -A 20 -B 1  -i servicecatalog
- apiGroups:
  - servicecatalog.k8s.io
  attributeRestrictions: null
  resources:
  - bindings
  - instances
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - settings.k8s.io
  attributeRestrictions: null
  resources:
  - podpresets
  verbs:
  - create
  - delete
  - get


TASK [openshift_service_catalog : Generate apply template for clusterrole/edit] ***
Monday 23 October 2017  07:50:34 +0000 (0:00:00.546)       0:12:10.451 ******** 
changed: [host-xxxxxx] => {"changed": true, "checksum": "0e40a1cffb1db2144c98464a75ef5cfddaaedc5e", "dest": "/tmp/openshift-service-catalog-ansible-RKMkF5/edit_sc_patch.yml", "failed": false, "gid": 0, "group": "root", "md5sum": "a1841d2c062ff5a6da52b26e9ac1b025", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 5629, "src": "/root/.ansible/tmp/ansible-tmp-1508745035.06-202443114384748/source", "state": "file", "uid": 0}

TASK [openshift_service_catalog : Generate apply template for clusterrole/admin] ***
Monday 23 October 2017  07:50:36 +0000 (0:00:00.514)       0:12:12.100 ******** 
changed: [host-xxxxxx] => {"changed": true, "checksum": "badd0104a447eb9e2903cce2bb1f006b3f944b64", "dest": "/tmp/openshift-service-catalog-ansible-RKMkF5/admin_sc_patch.yml", "failed": false, "gid": 0, "group": "root", "md5sum": "a1d407f963f44429e77fd614f2127133", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 6949, "src": "/root/.ansible/tmp/ansible-tmp-1508745036.73-275476748680638/source", "state": "file", "uid": 0}
Comment 6 Matthew Staebler 2017-10-23 12:39:25 UTC 
https://github.com/openshift/openshift-ansible/pull/5840
Comment 8 weiwei jiang 2017-10-26 08:58:03 UTC 
Will give a try after https://bugzilla.redhat.com/show_bug.cgi?id=1496426 fixed.
Comment 9 Zhang Cheng 2017-11-02 06:15:45 UTC 
Verified and passed on Brew v3.7.0-0.189.0
Comment 13 errata-xmlrpc 2017-11-28 22:13:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188