Description of problem: In "oc" v3.7, `oc debug --node-name` run by normal user prompts "cannot get nodes at the cluster scope". Per email discussion https://url.corp.redhat.com/9265f2a (RH internal), the error should be improved Version-Release number of selected component (if applicable): oc v3.7.0-0.175.0 How reproducible: Always Steps to Reproduce: 1. Prepare dc $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/deployment/dc-with-two-containers.yaml 2. Check node name to be referenced in following step $ oc get pod -o wide 3. $ oc debug dc/dctest --node-name $NODE_NAME -- /bin/env 4. Check step 3 with --loglevel $ oc debug dc/dctest --loglevel 6 --node-name $NODE_NAME -- /bin/env 5. As comparison, repeat above steps, but this time with oc v3.6 $ versions/ose/v3.6.173.0.45/oc debug dc/dctest --loglevel 6 --node-name $NODE_NAME -- /bin/env Actual results: 2. Get the node name: NAME READY STATUS RESTARTS AGE IP NODE dctest-1-bxtp7 2/2 Running 0 53s <none> NODE_NAME ... 3. Get error: Error from server (Forbidden): User "xingxingxia" cannot get nodes at the cluster scope: User "xingxingxia" cannot get nodes at the cluster scope (get nodes $NODE_NAME) 4. The output shows it tries to retrieve node: ... GET https://MASTER:8443/api/v1/nodes/$NODE_NAME 403 Forbidden in 202 milliseconds ... helpers.go:206] server response object: [{ "metadata": {}, "status": "Failure", "message": "User \"xingxingxia\" cannot get nodes at the cluster scope: User \"xingxingxia\" cannot get nodes at the cluster scope (get nodes $NODE_NAME)", "reason": "Forbidden", "details": { "name": "$NODE_NAME", "kind": "nodes", "causes": [ { "reason": "UnexpectedServerResponse", "message": "User \"xingxingxia\" cannot get nodes at the cluster scope: User \"xingxingxia\" cannot get nodes at the cluster scope" } ] }, "code": 403 }] 5. Command can succeed without node retrieval, the output instead looks like: POST https://MASTER:8443/api/v1/namespaces/xxia-proj/pods ... PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=dctest-debug KUBERNETES_SERVICE_PORT_DNS_TCP=53 ... Expected results: 4. Not sure what's correct expected result. Possible results may be: a. succeed like step 5 b. or, per above email discussion, get a different error (set by the server) "user is not allowed to target specific nodes" for normal user, but succeed for cluster permission user And the "oc debug -h" info is better to note normal user is not allowed for flag "--node-name", if normal user cannot use it Additional info: v3.7 `oc debug dc/dctest --node-name=notexist` also reproduces same error as above. But v3.7 didn't retrieve node in early version as seen in https://bugzilla.redhat.com/show_bug.cgi?id=1474262#c3
Origin PR: https://github.com/openshift/origin/pull/17028
From the PR info, this just exactly reverts the fix for bug 1474262 (If that verification was additionally doing a regression positive existent node check, this issue seemed to be found) Verified in v3.7.0-0.178.0, the result is same as when that previous bug was reported: Succeed when node name exists Show message 'unable to create the debug pod ... on node "notexist"' when node name is not existent After some thought, the reversion sounds OK and the previous bug's reported issue NOW looks acceptable