Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1560716

Summary:	docker config secrets not read properly by service account
Product:	OpenShift Container Platform	Reporter:	Steven Walter <stwalter>
Component:	Master	Assignee:	Maciej Szulik <maszulik>
Status:	CLOSED ERRATA	QA Contact:	Wang Haoran <haowang>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	3.7.1	CC:	aos-bugs, bparees, fshaikh, haowang, jlee, jokerman, maszulik, mmccomas, stwalter, yinzhou
Target Milestone:	---
Target Release:	3.7.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:	undefined	Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-06-27 07:59:12 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Steven Walter 2018-03-26 20:16:40 UTC

Description of problem:
Image pull secrets not being read by service accounts properly. This results in an inability for serviceaccounts to pull images from other projects other than the openshift project.


"rpc error: code = 2 desc = Error: image project1/example:v1 not found"

docker logs show:
OpenShift access denied: User \"system:anonymous\" cannot get imagestreams
error authorizing context: access denied

Version-Release number of selected component (if applicable):
3.7

How reproducible:
Confirmed

Steps to Reproduce:
1. Create two projects, "registry" and "prod"
2. Push an image into registry: docker-registry.default.svc:5000/registry/cyrax
3. Grant system:image-pullers role to the service accounts in prod:
# oc adm add-role-to-group system:image-pullers system:serviceaccount:prod -n registry
4. Try to docker pull using their token or oc new-app, both fail
5. Now give them docker pull secret (for a user which has access to both projects):

# oc login -u sektor
# docker login -u sektor -p $(oc whoami -t) https://docker-registry.default.svc:5000
Then pulling from ~/.docker/config.json to create a secret:

# oc secrets new my-secret .dockerconfigjson=config.json 
# oc secrets link builder my-secret 
# oc secrets link default my-secret 
# oc secrets link deployer my-secret 

# oc adm add-role-to-group system:image-pullers system:serviceaccount:prod -n registry

# docker login -u serviceaccount -p $(oc sa get-token deployer) https://docker-registry.default.svc:5000
# docker pull docker-registry.default.svc:5000/registry/cyrax:latest
^that works!

But oc new-app on that or other images in that project fails:
11s        11s         1         cyrax-1-5htvf    Pod                     spec.containers{cyrax}      Warning   Failed                  kubelet, infra-0.sektor.quicklab.example.com   Failed to pull image "docker-registry.default.svc:5000/registry/cyrax:latest": rpc error: code = 2 desc = Error: image registry/cyrax:latest not found


Additional info:
It appears this is reported here as well: https://github.com/openshift/origin/issues/17523

Comment 10 Maciej Szulik 2018-04-10 12:28:38 UTC

It looks like the root cause here is coming from https://bugzilla.redhat.com/show_bug.cgi?id=1531511. Jooho clearly stated the problem does not exist. Please ensure you're using the latest oc binary when creating the secrets.

Comment 11 Steven Walter 2018-04-16 16:51:17 UTC

Just to clarify, by "latest oc binary" do you mean 3.9 oc, or latest 3.7 binary (as customer is on 3.7 and this bug is filed for 3.7). Do we expect latest 3.7 binary to contain the fix? (Noting that the errata attached to 1531511 does NOT appear to contain any 3.7 packages)

Comment 27 errata-xmlrpc 2018-06-27 07:59:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2009