Bug 1572562 - policy_scc_subject_review with error no matches for kind "PodSecurityPolicySubjectReview" in version "v1"
Summary: policy_scc_subject_review with error no matches for kind "PodSecurityPolicySu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.10.0
Assignee: Mo
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-27 10:31 UTC by Chuan Yu
Modified: 2018-07-30 19:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-30 19:14:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:14:34 UTC

Description Chuan Yu 2018-04-27 10:31:17 UTC
Description of problem:
Got "no matches for kind "PodSecurityPolicySubjectReview" in version "v1"" when 'oc policy scc-subject-review'

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.10.0-0.29.0
kubernetes v1.10.0+b81c8f8
etcd 3.2.16

How reproducible:
always

Steps to Reproduce:
1.run 'oc policy scc-subject-review -f PodSecurityPolicySubjectReview.json'
2.
3.

Actual results:
STDERR:
      unable to recognize "PodSecurityPolicySubjectReview.json": no matches for kind "PodSecurityPolicySubjectReview" in version "v1"

Expected results:
Successful with no error

Additional info:
# oc get --raw /oapi/v1 |json_reformat |grep -i security
            "name": "podsecuritypolicyreviews",
            "kind": "PodSecurityPolicyReview",
            "name": "podsecuritypolicyselfsubjectreviews",
            "kind": "PodSecurityPolicySelfSubjectReview",
            "name": "podsecuritypolicysubjectreviews",
            "kind": "PodSecurityPolicySubjectReview",


PodSecurityPolicySubjectReview.json
{
    "kind": "PodSecurityPolicySubjectReview",
    "apiVersion": "v1",
    "metadata": {
        "name": "pspsr"
    },
    "spec": {
        "template": {
            "spec": {
            "containers": [
                {
                    "name": "hello-openshift",
                    "image": "aosqe/hello-openshift",
                    "ports": [
                        {
                            "containerPort": 8080,
                            "protocol": "TCP"
                        }
                    ],
                    "resources": {

                    },
                    "volumeMounts": [
                        {
                            "name": "tmp",
                            "mountPath": "/tmp"
                        }
                    ],
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "FallbackToLogsOnError",
                    "imagePullPolicy": "IfNotPresent",
                    "securityContext": {
                        "capabilities": {

                        },
                        "privileged": false
                    }
                }
            ],
            "volumes": [
                {
                    "name": "tmp",
                    "emptyDir": {

                    }
                }
            ],
            "restartPolicy": "Always",
            "dnsPolicy": "ClusterFirst",
            "serviceAccountName": "default"
            }
        },
        "user": "<%= userName %>",
        "groups": [
            "system:authenticated"
        ]
    },
    "status": {

    }
}

Comment 1 Mo 2018-04-27 18:30:02 UTC
Note that the command you are running is incorrect.

oc policy scc-subject-review -f FILE

assumes that FILE is a Pod, Job, etc, not a PodSecurityPolicySubjectReview object.

To use the YAML file you have now you would do something like:

oc create -f PodSecurityPolicySubjectReview.json -o=jsonpath={.status.allowedBy.name}

That being said there is a bug in regards to how the PSP review objects were being handled.

Fixed by https://github.com/openshift/origin/pull/19542

Comment 2 Mo 2018-04-27 18:33:25 UTC
The regression was caused by https://github.com/openshift/origin/pull/19327

Comment 3 openshift-github-bot 2018-05-01 01:51:23 UTC
Commits pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/7231ab0d5c97b0bc835689248f991d069ace2046
UPSTREAM: <carry>: Add PSP review to /oapi Resources

This allows oc to correctly create the legacy ungroupified variants
of these objects.

Bug 1572562

Signed-off-by: Monis Khan <mkhan@redhat.com>

https://github.com/openshift/origin/commit/6144c4bac363e815c965763ed87090eb8ecf7b87
Add PSP review kinds to /oapi group map

This allows oc to correctly create the legacy ungroupified variants
of these objects.

Bug 1572562

Signed-off-by: Monis Khan <mkhan@redhat.com>

Comment 5 Chuan Yu 2018-05-18 07:58:23 UTC
Verified.
# openshift version
openshift v3.10.0-0.47.0
kubernetes v1.10.0+b81c8f8
etcd 3.2.16

Comment 7 errata-xmlrpc 2018-07-30 19:14:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.