Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
Local Registry Adapter should not display APBs that can't be deployed from a ...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker (Show other bugs)
3.8.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.9.0
Assigned To: Shawn Hurley
Zhang Cheng
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-10 13:06 EST by Dylan Murray
Modified: 2018-06-27 14:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-06-27 14:01:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2013 None None None 2018-06-27 14:01 EDT

  None (edit)
Description Dylan Murray 2017-11-10 13:06:57 EST 
Description of problem:
Right now the local registry adapter works well with the 'openshift' namespace because that is a resource shared namespace where any authenticated user has access to the imagestreams within that namespace. We have seen issues when testing on an environment that does not use the 'openshift' namespace because the transient APB service account does not always have the ability to access the images within namespace 'foo'.

Version-Release number of selected component (if applicable):
3.8.0

How reproducible:
100% If the namespace does not grant access to all authenticated users.

Steps to Reproduce:
1. Configure the local registry adapter with namespace: 'foo'.
2. Create namespace 'foo'
3. Be configured in a downstream openshift cluster where permissions for imagestreams are locked down per namespace
4. tag and push APB image to internal registry under namespace 'foo'
5. Try to provision APB

Actual results:
APB gets ErrImgPull errors because it cannot find the images outside of the transient namespace

Expected results:
APB is not displayed in the service catalog for this user

Additional info:
Relevant discussion in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507111
Comment 2 Shawn Hurley 2018-01-02 15:31:53 EST 
Bug has been changed: https://github.com/openshift/ansible-service-broker/pull/607
Comment 5 Dylan Murray 2018-01-18 08:59:24 EST 
Shawn and Zhang,

Yeah this warning should be sufficient. Ideally we revisit this and add some intelligence to check if the images can be pulled from our service account and blacklist images which are not. This at least gives the cluster-admin an idea of what's going wrong so they can open up the images from the target namespace. Hope that helps.
Comment 6 Zhang Cheng 2018-01-18 22:12:55 EST 
Agree if you also think no need to block display clusterserviceclass both in backend and web console at this situation(have warning enough). 

Please move status to ON_QA. Thanks.
Comment 7 Zhang Cheng 2018-01-20 09:31:36 EST 
Base on Comment 3, Comment 5. Changing status to Verified.
Comment 9 errata-xmlrpc 2018-06-27 14:01:30 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.