Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1498983

Summary: Unable to `oc new-app` with service account
Product: OpenShift Container Platform Reporter: Will Gordon <wgordon>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, mkhan, wgordon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-06 15:45:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Will Gordon 2017-10-05 18:02:32 UTC 
Description of problem:
Trying to create a service account (and granting it admin), does not allow it to deploy new applications.

Version-Release number of selected component (if applicable):
OpenShift Master: v3.6.0-fixflex.1+3cf52d6
Kubernetes Master: v1.6.1+5115d708d7

How reproducible:
always

Steps to Reproduce:
https://gist.github.com/wklm/51e314d26ccad5526438b35b09210285

Actual results:
Application not created

Expected results:
Application created

Additional info:
Comment 1 Simo Sorce 2017-10-06 15:10:31 UTC 
Copying the gist pointed at here, so we have everything needed in future.

wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc project test-devforumci-preview
Now using project "test-devforumci-preview" on server "https://openshift-dev.cern.ch:443".
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc create sa other-admin
serviceaccount "other-admin" created
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc policy add-role-to-user admin system:serviceaccounts:test-devforumci:other-admin
role "admin" added: "system:serviceaccounts:test-devforumci:other-admin"
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$  oc new-app --token=$(oc sa get-token other-admin)  registry.access.redhat.com/dotnet/dotnet-20-rhel7~https://gitlab.cern.ch/wkulma/devforum 
--> Found Docker image 9c4630d (2 weeks old) from registry.access.redhat.com for "registry.access.redhat.com/dotnet/dotnet-20-rhel7"

    .NET Core 2.0 
    ------------- 
    Platform for building and running .NET Core 2.0 applications

    Tags: builder, .net, dotnet, dotnetcore, rh-dotnet20

    * An image stream will be created as "dotnet-20-rhel7:latest" that will track the source image
    * A source build using source code from https://gitlab.cern.ch/wkulma/devforum will be created
      * The resulting image will be pushed to image stream "devforum:latest"
      * Every time "dotnet-20-rhel7:latest" changes a new build will be triggered
    * This image will be deployed in deployment config "devforum"
    * Port 8080/tcp will be load balanced by service "devforum"
      * Other containers can access this service through the hostname "devforum"

--> Creating resources ...
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create buildconfigs.build.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create deploymentconfigs.apps.openshift.io in project "test-devforumci-preview"
    error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create services in project "test-devforumci-preview"
--> Failed
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$                  --server=https://openshift-dev.cern.ch -n test-devforumci
-bash: --server=https://openshift-dev.cern.ch: No such file or directory
wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$
Comment 2 Simo Sorce 2017-10-06 15:15:11 UTC 
I do not think admin is sufficient, have you tried adding the service account to the image-puller role ?
Comment 3 Will Gordon 2017-10-06 15:18:21 UTC 
So, I entered this bug on behalf of someone in IRC. However, testing this myself, I was able to get `oc new-app` to work just by adding admin. So I'm wondering if it's a bug with the way their cluster could be configured?

For reference, I tested successfully in the OpenShift Online Pro cluster.
Comment 4 Simo Sorce 2017-10-06 15:26:38 UTC 
can you post the output of:
oc get rolebindings -n test-devforumci-preview
Comment 5 Mo 2017-10-06 15:43:52 UTC 
The admin permission was granted to the wrong SA:

> wojtek@pcuds54:~/Desktop/smieci/fsharp/fsharponacci$ oc policy add-role-to-user admin system:serviceaccounts:test-devforumci:other-admin

> error: User "system:serviceaccount:test-devforumci-preview:other-admin" cannot create imagestreams.image.openshift.io in project "test-devforumci-preview"

system:serviceaccounts:test-devforumci:other-admin        == test-devforumci         namespace
system:serviceaccount:test-devforumci-preview:other-admin == test-devforumci-preview namespace
Comment 6 Simo Sorce 2017-10-06 15:45:30 UTC 
Ok seem like the user mistyped commands, closing
Comment 7 Will Gordon 2017-10-23 14:56:42 UTC 
closed