Description of problem:
Right now the local registry adapter works well with the 'openshift' namespace because that is a resource shared namespace where any authenticated user has access to the imagestreams within that namespace. We have seen issues when testing on an environment that does not use the 'openshift' namespace because the transient APB service account does not always have the ability to access the images within namespace 'foo'.
Version-Release number of selected component (if applicable):
100% If the namespace does not grant access to all authenticated users.
Steps to Reproduce:
1. Configure the local registry adapter with namespace: 'foo'.
2. Create namespace 'foo'
3. Be configured in a downstream openshift cluster where permissions for imagestreams are locked down per namespace
4. tag and push APB image to internal registry under namespace 'foo'
5. Try to provision APB
APB gets ErrImgPull errors because it cannot find the images outside of the transient namespace
APB is not displayed in the service catalog for this user
Relevant discussion in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507111
Bug has been changed: https://github.com/openshift/ansible-service-broker/pull/607
Shawn and Zhang,
Yeah this warning should be sufficient. Ideally we revisit this and add some intelligence to check if the images can be pulled from our service account and blacklist images which are not. This at least gives the cluster-admin an idea of what's going wrong so they can open up the images from the target namespace. Hope that helps.
Agree if you also think no need to block display clusterserviceclass both in backend and web console at this situation(have warning enough).
Please move status to ON_QA. Thanks.
Base on Comment 3, Comment 5. Changing status to Verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.