Description of problem: Can't create app when push code to init gitserver repo due to forbidden error. The default oc client in git server pod is oc version oc v3.7.1+de12586-31 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO And Qe need test this feature with 3.5 and 3.4, so the client compatibility issue conduct this bug Works on above 3.6 env Version-Release number of selected component (if applicable): openshift v3.5.5.31.66 kubernetes v1.5.2+43a9be4 openshift v3.4.1.44.52 kubernetes v1.4.0+776c994 docker.io/openshift/origin-gitserver:latest (c788ff7985e7) How reproducible: always Steps to Reproduce: 1.Create a git server app Follow as https://github.com/openshift/origin/tree/master/examples/gitserver#deploy-the-git-server 2.Push code to the initial git server 3. Actual results: step 2: $ git push origin master Username for 'http://git-git.apps.0412-5ej.qe.rhcloud.com': xiuwang Password for 'http://xiuwang@git-git.apps.0412-5ej.qe.rhcloud.com': Counting objects: 290, done. Delta compression using up to 8 threads. Compressing objects: 100% (187/187), done. Writing objects: 100% (290/290), 46.64 KiB | 0 bytes/s, done. Total 290 (delta 93), reused 281 (delta 89) remote: Error from server (Forbidden): User "system:serviceaccount:git:git" cannot list build.openshift.io.buildconfigs in project "git" remote: error: can't lookup images: User "system:serviceaccount:git:git" cannot create image.openshift.io.imagestreamimports in project "git" remote: error: no match for "centos/ruby-22-centos7" remote: remote: The 'oc new-app' command will match arguments to the following types: remote: remote: 1. Images tagged into image streams in the current project or the 'openshift' project remote: - if you don't specify a tag, we'll add ':latest' remote: 2. Images in the Docker Hub, on remote registries, or on the local Docker engine remote: 3. Templates in the current project or the 'openshift' project remote: 4. Git repository URLs or local paths that point to Git repositories remote: remote: --allow-missing-images can be used to point to an image that does not exist yet. remote: remote: See 'oc new-app -h' for examples. To http://git-git.apps.0412-5ej.qe.rhcloud.com/ruby-hello-world * [new branch] master -> master Expected results: Should create app successfully when init git server Additional info: $ oc get rolebinding NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin xiuwang edit /edit git system:deployers /system:deployer deployer system:image-builders /system:image-builder builder system:image-pullers /system:image-puller system:serviceaccounts:git [wxj@dhcp-140-124 ruby-hello-world]$ oc get sa git -o yaml apiVersion: v1 imagePullSecrets: - name: git-dockercfg-kvp8b kind: ServiceAccount metadata: creationTimestamp: 2018-04-13T06:11:38Z labels: app: git name: git namespace: git resourceVersion: "19210" selfLink: /api/v1/namespaces/git/serviceaccounts/git uid: 86b08309-3ee1-11e8-8560-42010af00002 secrets: - name: git-dockercfg-kvp8b - name: git-token-r7z9r
the gitserver is unsupported so we're not going to worry about cross-version compatibility issues in it.