Description of problem: Got "no matches for kind "PodSecurityPolicySubjectReview" in version "v1"" when 'oc policy scc-subject-review' Version-Release number of selected component (if applicable): # openshift version openshift v3.10.0-0.29.0 kubernetes v1.10.0+b81c8f8 etcd 3.2.16 How reproducible: always Steps to Reproduce: 1.run 'oc policy scc-subject-review -f PodSecurityPolicySubjectReview.json' 2. 3. Actual results: STDERR: unable to recognize "PodSecurityPolicySubjectReview.json": no matches for kind "PodSecurityPolicySubjectReview" in version "v1" Expected results: Successful with no error Additional info: # oc get --raw /oapi/v1 |json_reformat |grep -i security "name": "podsecuritypolicyreviews", "kind": "PodSecurityPolicyReview", "name": "podsecuritypolicyselfsubjectreviews", "kind": "PodSecurityPolicySelfSubjectReview", "name": "podsecuritypolicysubjectreviews", "kind": "PodSecurityPolicySubjectReview", PodSecurityPolicySubjectReview.json { "kind": "PodSecurityPolicySubjectReview", "apiVersion": "v1", "metadata": { "name": "pspsr" }, "spec": { "template": { "spec": { "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": { }, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "FallbackToLogsOnError", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": { }, "privileged": false } } ], "volumes": [ { "name": "tmp", "emptyDir": { } } ], "restartPolicy": "Always", "dnsPolicy": "ClusterFirst", "serviceAccountName": "default" } }, "user": "<%= userName %>", "groups": [ "system:authenticated" ] }, "status": { } }
Note that the command you are running is incorrect. oc policy scc-subject-review -f FILE assumes that FILE is a Pod, Job, etc, not a PodSecurityPolicySubjectReview object. To use the YAML file you have now you would do something like: oc create -f PodSecurityPolicySubjectReview.json -o=jsonpath={.status.allowedBy.name} That being said there is a bug in regards to how the PSP review objects were being handled. Fixed by https://github.com/openshift/origin/pull/19542
The regression was caused by https://github.com/openshift/origin/pull/19327
Commits pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/7231ab0d5c97b0bc835689248f991d069ace2046 UPSTREAM: <carry>: Add PSP review to /oapi Resources This allows oc to correctly create the legacy ungroupified variants of these objects. Bug 1572562 Signed-off-by: Monis Khan <mkhan> https://github.com/openshift/origin/commit/6144c4bac363e815c965763ed87090eb8ecf7b87 Add PSP review kinds to /oapi group map This allows oc to correctly create the legacy ungroupified variants of these objects. Bug 1572562 Signed-off-by: Monis Khan <mkhan>
Verified. # openshift version openshift v3.10.0-0.47.0 kubernetes v1.10.0+b81c8f8 etcd 3.2.16
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816