Red Hat Bugzilla – Bug 1535639
oc cluster up --service-catalog not updating clusterroles
Last modified: 2018-03-28 10:20:59 EDT
When running oc cluster up --version=latest --service-catalog I do not see the OOTB roles getting updated. This means end users are unable to create instances or bindings among other things. According to @deads this is likely related to missing https://kubernetes.io/docs/admin/authorization/rbac/#aggregated-clusterroles when updating to 1.9 > oc version oc v3.9.0-alpha.2+78ddc10-96-dirty kubernetes v1.9.1+a0ce1bc657 features: Basic-Auth Server https://127.0.0.1:8443 openshift v3.9.0-alpha.2+78ddc10-96 kubernetes v1.9.1+a0ce1bc657
$ oc cluster up --version-latest --service-catalog gives me errors starting catalog: -- Installing service catalog ... FAIL Error: could not reconcile service catalog cluster role admin Caused By: Error: the server could not find the requested resource which looks similar to https://github.com/openshift/origin/issues/17867 but that was trying to start a 3.7 cluster from the 3.9 client. If I leave off --version-latest catalog installs fine. OC version reports that server is on "kubernetes v1.9.0-beta1".
strange, i dont get any errors from oc, it tells me it is successful even though it isnt
@jay is your oc also the latest from origin?
Could cluster up successfully with 3.9.0-0.20.0.0 $oc cluster up --image=brew-pulp-**/openshift3/ose --version=v3.9.0-0.20.0.0 --service-catalog=true $oc version Server https://127.0.0.1:8443 openshift v3.9.0-0.20.0 kubernetes v1.9.1+a0ce1bc657 Could provision clusterserviceclass succeed. Met same error with comment #1 with registry.access.redhat.com latest images, my oc verison is 'v3.9.0-0.19.0' $oc cluster up --version=latest --service-catalog Starting OpenShift using registry.access.redhat.com/openshift3/ose:latest ... Pulling image registry.access.redhat.com/openshift3/ose:latest
@Jessica re comment 3: Yep, I rebased and did a make clean build WHAT=cmd/oc. Retried just now and I get the same results. But I realize this is rather tangential, I do see Catalog has role problems using latest which I'll dig into.
see new aggregation label requirements in 1.9: https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles looks like catalog needs to add the appropriate aggregation label to admin/edit/view cluster roles to merge new policy rules for catalog resources. But the catalog bootstrap code is bombing out before this in my deployment, it's failing to locate existing Cluster Roles pkg/registry/rbac/reconciliation/reconcile_role.go: existing, err := o.Client.Get(o.Role.GetNamespace(), o.Role.GetName()) For my lookup namespace is nil, rolename=admin and I get the error "the server could not find the requested resource". Same for view and edit roles. The Get() works properly when I don't use version=latest.
See https://github.com/openshift/origin/pull/17976#issuecomment-359103793 You will need to use cluster role aggregation instead of reconciliation (search for GetServiceCatalogRBACDelta).
fixed by https://github.com/openshift/origin/pull/18251
PR 18251 has been merged.
Set cluster up env with enabled service-catalog for version(openshift v3.9.0-0.34.0 kubernetes v1.9.1+a0ce1bc657) 1.The end user(admin role) could create/delete serviceinstance and do bind/unbind operation. 2.Remove admin role, add edit role manual. edit role could create/delete serviceinstance and do bind/unbind operation. 3.remove admin,edit role, add view role. Could not create/delete serviceinstance and do bind/unbind operation. Move this bug as verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489