1498983 – Unable to `oc new-app` with service account

Bug 1498983 - Unable to `oc new-app` with service account

Summary: Unable to `oc new-app` with service account

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Simo Sorce
QA Contact:	Chuan Yu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-05 18:02 UTC by Will Gordon
Modified:	2019-03-29 15:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-06 15:45:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Will Gordon 2017-10-05 18:02:32 UTC

Description of problem:
Trying to create a service account (and granting it admin), does not allow it to deploy new applications.

Version-Release number of selected component (if applicable):
OpenShift Master: v3.6.0-fixflex.1+3cf52d6
Kubernetes Master: v1.6.1+5115d708d7

How reproducible:
always

Steps to Reproduce:
https://gist.github.com/wklm/51e314d26ccad5526438b35b09210285

Actual results:
Application not created

Expected results:
Application created

Additional info:

Comment 1 Simo Sorce 2017-10-06 15:10:31 UTC

Copying the gist pointed at here, so we have everything needed in future.

wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc project test-devforumci-preview
Now using project "test-devforumci-preview" on server "https://openshift-dev.cern.ch:443".
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc create sa other-admin
serviceaccount "other-admin" created
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc policy add-role-to-user admin system:serviceaccounts:test-devforumci:other-admin
role "admin" added: "system:serviceaccounts:test-devforumci:other-admin"
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$  oc new-app --token=$(oc sa get-token other-admin)  registry.access.redhat.com/dotnet/dotnet-20-rhel7~https://gitlab.cern.ch/wkulma/devforum 
--> Found Docker image 9c4630d (2 weeks old) from registry.access.redhat.com for "registry.access.redhat.com/dotnet/dotnet-20-rhel7"

    .NET Core 2.0 
    ------------- 
    Platform for building and running .NET Core 2.0 applications

    Tags: builder, .net, dotnet, dotnetcore, rh-dotnet20

    * An image stream will be created as "dotnet-20-rhel7:latest" that will track the source image
    * A source build using source code from https://gitlab.cern.ch/wkulma/devforum will be created
      * The resulting image will be pushed to image stream "devforum:latest"
      * Every time "dotnet-20-rhel7:latest" changes a new build will be triggered
    * This image will be deployed in deployment config "devforum"
    * Port 8080/tcp will be load balanced by service "devforum"
      * Other containers can access this service through the hostname "devforum"

--> Creating resources ...
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create buildconfigs.build.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create deploymentconfigs.apps.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create services in project "test-devforumci-preview"
--> Failed
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$                  --server=https://openshift-dev.cern.ch -n test-devforumci
-bash: --server=https://openshift-dev.cern.ch: No such file or directory
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$

Comment 2 Simo Sorce 2017-10-06 15:15:11 UTC

I do not think admin is sufficient, have you tried adding the service account to the image-puller role ?

Comment 3 Will Gordon 2017-10-06 15:18:21 UTC

So, I entered this bug on behalf of someone in IRC. However, testing this myself, I was able to get `oc new-app` to work just by adding admin. So I'm wondering if it's a bug with the way their cluster could be configured?

For reference, I tested successfully in the OpenShift Online Pro cluster.

Comment 4 Simo Sorce 2017-10-06 15:26:38 UTC

can you post the output of:
oc get rolebindings -n test-devforumci-preview

Comment 5 Mo 2017-10-06 15:43:52 UTC

The admin permission was granted to the wrong SA:

> wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc policy add-role-to-user admin system:serviceaccounts:test-devforumci:other-admin

> error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"

system:serviceaccounts:test-devforumci:other-admin        == test-devforumci         namespace
system:serviceaccount:test-devforumci-preview:other-admin == test-devforumci-preview namespace

Comment 6 Simo Sorce 2017-10-06 15:45:30 UTC

Ok seem like the user mistyped commands, closing

Comment 7 Will Gordon 2017-10-23 14:56:42 UTC

closed

Note You need to log in before you can comment on or make changes to this bug.