Bug 1535639

$ oc cluster up --version-latest --service-catalog 
gives me errors starting catalog:

-- Installing service catalog ... FAIL
   Error: could not reconcile service catalog cluster role admin
   Caused By:
     Error: the server could not find the requested resource


which looks similar to https://github.com/openshift/origin/issues/17867  but that was trying to start a 3.7 cluster from the 3.9 client.

If I leave off --version-latest catalog installs fine.  OC version reports that server is on "kubernetes v1.9.0-beta1".

strange, i dont get any errors from oc, it tells me it is successful even though it isnt

@jay is your oc also the latest from origin?

Could cluster up successfully with 3.9.0-0.20.0.0 
$oc cluster up --image=brew-pulp-**/openshift3/ose --version=v3.9.0-0.20.0.0 --service-catalog=true
$oc version
Server https://127.0.0.1:8443
openshift v3.9.0-0.20.0
kubernetes v1.9.1+a0ce1bc657

Could provision clusterserviceclass succeed.

Met same error with comment #1 with registry.access.redhat.com latest images, my oc verison is 'v3.9.0-0.19.0'

$oc cluster up --version=latest --service-catalog  
Starting OpenShift using registry.access.redhat.com/openshift3/ose:latest ...
Pulling image registry.access.redhat.com/openshift3/ose:latest

@Jessica re comment 3:  Yep, I rebased and did a make clean build WHAT=cmd/oc.  Retried just now and I get the same results.  But I realize this is rather tangential, I do see Catalog has role problems using latest which I'll dig into.

see new aggregation label requirements in 1.9:  https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles 

looks like catalog needs to add the appropriate aggregation label to admin/edit/view cluster roles to merge new policy rules for catalog resources.

But the catalog bootstrap code is bombing out before this in my deployment, it's failing to locate existing Cluster Roles

pkg/registry/rbac/reconciliation/reconcile_role.go:
  existing, err := o.Client.Get(o.Role.GetNamespace(), o.Role.GetName())

For my lookup namespace is nil, rolename=admin and I get the error "the server could not find the requested resource".   Same for view and edit roles. The Get() works properly when I don't use version=latest.

See https://github.com/openshift/origin/pull/17976#issuecomment-359103793

You will need to use cluster role aggregation instead of reconciliation (search for GetServiceCatalogRBACDelta).

fixed by https://github.com/openshift/origin/pull/18251

PR 18251 has been merged.

Set cluster up env with enabled service-catalog for version（openshift v3.9.0-0.34.0
kubernetes v1.9.1+a0ce1bc657）

1.The end user(admin role) could create/delete serviceinstance and do bind/unbind operation.
2.Remove admin role, add edit role manual.
edit role could create/delete serviceinstance and do bind/unbind operation.
3.remove admin，edit role, add view role.
Could not create/delete serviceinstance and do bind/unbind operation.

Move this bug as verified

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489