Description of problem: Ordinary users can't describe or update the broker they created if they login with command "oc login -u user --server=xxx:port". The message is: the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker Version-Release number of selected component (if applicable): openshift v3.7.0-0.191.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 registry.reg-aws.openshift.com:443/openshift3/ose-service-catalog:v3.7.0-0.191.0 How reproducible: Always Steps to Reproduce: 1. Login as an ordinary user1 # oc login -u atestuser1 --server=xxx:port # oc new-project atestproject1 # oc get secrets 2. Login as system admin, create broker role # oc login -u system:admin # oc create -f broker-role.yaml # cat broker-role.yaml apiVersion: v1 kind: ClusterRole metadata: name: clusterservicebroker-admin rules: - apiGroups: - servicecatalog.k8s.io attributeRestrictions: null resources: - clusterservicebrokers verbs: - create - delete - get - list - patch - update - watch 3. Add role to the ordinary user1 # oc adm policy add-cluster-role-to-user clusterservicebroker-admin atestuser1 # oc admin policy who-can create clusterservicebrokers 4. User1 can create a broker with its auth secret # oc login -u atestuser1 --server=xxx:port # oc policy can-i create clusterservicebrokers # oc create -f broker.yaml # cat broker.yaml apiVersion: servicecatalog.k8s.io/v1beta1 kind: ClusterServiceBroker metadata: name: abroker spec: url: http://abroker.svc.cluster.local authInfo: bearer: secretRef: namespace: atestproject1 name: default-token-8kcsh [Note] Choose one of the secret in atestproject1 as secretRef name here 5. Update the broker with user1's another secret (e.g default-token-4dmfd in atestproject1) # oc edit cluserservicebroker abroker 6. Login the master with user1 directly and describe/update the broker with user1's another secret. # ssh master # oc login -u atestuser1 Actual results: 1. [root@qwang_laptop qwang]# oc get secret -n atestproject1 NAME TYPE DATA AGE builder-dockercfg-q22cd kubernetes.io/dockercfg 1 30m builder-token-5mlkn kubernetes.io/service-account-token 4 30m builder-token-bbp5h kubernetes.io/service-account-token 4 30m default-dockercfg-c8xvj kubernetes.io/dockercfg 1 30m default-token-4dmfd kubernetes.io/service-account-token 4 30m default-token-8kcsh kubernetes.io/service-account-token 4 30m deployer-dockercfg-jfbzg kubernetes.io/dockercfg 1 30m deployer-token-frspw kubernetes.io/service-account-token 4 30m deployer-token-gsz8k kubernetes.io/service-account-token 4 30m 4. [root@qwang_laptop qwang]# oc create -f broker.yaml clusterservicebroker "abroker" created [root@qwang_laptop qwang]# oc get clusterservicebroker NAME KIND abroker ClusterServiceBroker.v1beta1.servicecatalog.k8s.io ansible-service-broker ClusterServiceBroker.v1beta1.servicecatalog.k8s.io 5. [root@qwang_laptop qwang]# oc edit clusterservicebroker abroker the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker [root@qwang_laptop qwang]# oc describe clusterservicebroker abroker the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker 6. User1 can describe/update the broker with user1's another auth secret successfully if login the master. Expected results: 5. User1 has access to its auth secret, so user1 can create and update the broker resource according to the ClusterRole. Additional info:
Jeff, please take a look. It looks to me like there is a problem either with registering the API group with the aggregator or with how the user logged in.
Jay, will you please take a look at this? It might be an issue with using 'clusterservicebroker' instead of 'clusterservicebrokers' in the user's commands.
I can not reproduce, this works correctly for me in my development deployment on fedora. Qixuan Wang, can you please provide details on what server you are connecting to with oc login? Is it the same URL reported by 'oc cluster up'? You must be connecting to the aggregator - not directly to the service catalog api server. After doing oc login, please run 'oc get apiservices' and report back the output.
With new oc v3.7.0-0.196.0, I won't reproduce the bug, close it. [root@qwang_laptop qwang]# oc edit clusterservicebroker abroker clusterservicebroker "abroker" edited [root@qwang_laptop qwang]# oc describe clusterservicebroker abroker | grep -A6 Spec Spec: Auth Info: Bearer: Secret Ref: Name: default-token-zhqtb Namespace: qwang1 Relist Behavior: Duration