Description of problem: Running `oc cluster up`, I have defined a ClusterRole [1] to allow `delete` of `projects` without any other restrictions. Logged in as system:admin, I have performed: - oc create -f delete-projects.json [1] - oc create sa delete-admin - oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin - oc adm policy who-can delete projects --all-namespaces -> lists system:service:accounts:default:delete-admin - oc login -u delete-admin -p $(oc sa get-token delete-admin) - oc delete project myproject -> F1106 11:23:27.217087 6342 helpers.go:119] Error from server (Forbidden): User "other-admin" cannot delete projects in project "myproject" Version-Release number of selected component (if applicable): Server https://127.0.0.1:8443 openshift v3.6.173.0.5 kubernetes v1.6.1+5115d708d7 How reproducible: always Steps to Reproduce: see above Actual results: Failure to delete project Expected results: Successfully delete project Additional info: [1] http://pastebin.test.redhat.com/529688
please provide the output of oc get serviceaccounts -o json
{ "apiVersion": "v1", "imagePullSecrets": [ { "name": "delete-admin-dockercfg-553lq" } ], "kind": "ServiceAccount", "metadata": { "creationTimestamp": "2017-11-06T16:05:33Z", "name": "delete-admin", "namespace": "default", "resourceVersion": "1512", "selfLink": "/api/v1/namespaces/default/serviceaccounts/delete-admin", "uid": "516d04f9-c30c-11e7-a08a-6abe92e081f3" }, "secrets": [ { "name": "delete-admin-dockercfg-553lq" }, { "name": "delete-admin-token-l1b05" } ] }
also not that the proper command to add delete-admin to the cluster role is not: oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin but it is: oc adm policy add-cluster-role-to-user delete-projects -z delete-admin This does not allow me to delete a project either though.
WOW, when was -z added?! That's awesome! The docs still recommend system:serviceaccount:<project>:<sa-name>. [1] https://docs.openshift.com/container-platform/3.6/dev_guide/service_accounts.html#dev-sa-user-names-and-groups
You are logging in as the SA incorrectly. The correct way is: > oc login --token=$(oc sa get-token SA_NAME -n SA_NAMESPACE) This is clear from the error message: > Error from server (Forbidden): User "other-admin" cannot ... If you were logged in as the SA it would say: > Error from server (Forbidden): User "system:serviceaccount:SA_NAMESPACE:SA_NAME" cannot ... You can use `oc whoami` to tell what user you are logged in as.
Ok I have also reproduced and using: > oc login --token=$(oc sa get-token delete-admin -n default) > oc delete project myproject worked. Closing NOTABUG
Thanks! That did the trick!