Description of problem: When running as a "normal" user - a project admin (not cluster admin), access to image streams under -n openshift fails when using "oc new-app". $ oc new-app --name=dc-metro-map https://github.com/RedHatGov/openshift-workshops.git --context-dir=dc-metro-map error: Error from server (Forbidden): User "ocp-peter" cannot list imagestreams.image.openshift.io in project "openshift" error: only a partial match was found for "nodejs": "docker.io/readytalk/nodejs:latest" The argument "nodejs" only partially matched the following Docker image, OpenShift image stream, or template: * Docker image "docker.io/readytalk/nodejs:latest", 6bbe12d, from local, 274.381mb Use --docker-image="docker.io/readytalk/nodejs:latest" to specify this image or template This same command succeeds when using a cluster admin (same project etc). You can make the 3.7 CLI work if you make the following changes to the shared-resource-viewer in -n openshift: $ oc get role shared-resource-viewer -o json { "apiVersion": "v1", "kind": "Role", "metadata": { "annotations": { "openshift.io/reconcile-protect": "false" }, "creationTimestamp": "2018-02-28T16:33:53Z", "name": "shared-resource-viewer", "namespace": "openshift", "resourceVersion": "276", "selfLink": "/oapi/v1/namespaces/openshift/roles/shared-resource-viewer", "uid": "2a506cea-1ca5-11e8-b5fa-54ee7586bd69" }, "rules": [ { "apiGroups": [ "", "template.openshift.io" ], "attributeRestrictions": null, "resources": [ "templates" ], "verbs": [ "get", "list", "watch" ] }, { "apiGroups": [ "", "image.openshift.io" ], "attributeRestrictions": null, "resources": [ "imagestreamimages", "imagestreams", "imagestreamtags" ], "verbs": [ "get", "list", "watch" ] }, { "apiGroups": [ "", "image.openshift.io" ], "attributeRestrictions": null, "resources": [ "imagestreams/layers" ], "verbs": [ "get" ] } ] } This is the content of the object on 3.7 - on 3.6 the values are the same except for "apiGroup" which is missing on 3.6. HOWEVER - setting this value makes the web-console fail with the same security error on 3.6 - this is not a viable work-around. The only fix is to use CLI 3.6.1 or similar. Version-Release number of selected component (if applicable): $ oc versoin oc v3.7.23 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://master.rhsademo.net:443 openshift v3.6.173.0.5 kubernetes v1.6.1+5115d708d7 How reproducible: Every time Steps to Reproduce: 1. Setup standard 3.6 cluster - single node or single master - nothing advanced 2. Login as a NORMAL user (no special cluster rights) 3. Create an app based on https://github.com/RedHatGov/openshift-workshops.git (nodejs) - any stream will do, at least the ones I've tried. Actual results: You'll get an access denied error (see above) Expected results: Completed creation of "new-app" objects. Additional info: Have not tested against 3.5 - have not tried multiple 3.7 CLI versions.
Looks to be a dup of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=1493213 With a fix outlined here. https://github.com/openshift/origin/pull/16465#issuecomment-331203378
PR that was merged to fix this via the installer. https://github.com/openshift/openshift-ansible/pull/5617
*** This bug has been marked as a duplicate of bug 1493213 ***