+++ This bug was initially created as a clone of Bug #1572028 +++ +++ This bug is a clone that pertains to clusters created with openshift-ansible +++ Description of problem: Normal user meets "Failed to list .../servicecatalog.k8s.io/v1beta1 (status 403)" in home page Grant cluster-admin to the user, the error is not met again. Version-Release number of selected component (if applicable): OpenShift Master: v3.10.0-0.29.0 Kubernetes Master: v1.10.0+b81c8f8 OpenShift Web Console: v3.10.0-0.29.0 How reproducible: Always Steps to Reproduce: 1. Normal user logins to web console 2. Grant cluster-admin to the user, repeat above step Actual results: 1. Meet: An error occurred connecting to the server. Failed to list clusterserviceplans/servicecatalog.k8s.io/v1beta1 (status 403) Failed to list clusterserviceclasses/servicecatalog.k8s.io/v1beta1 (status 403) 2. Error gone Expected results: 1. Should not have the error. Additional info: Given master version v3.10.0-0.29.0, change web console image tag to v3.10.0-0.28.0, error still happens. But env of below version matrix doesn't meet the error: OpenShift Master: v3.10.0-0.28.0 OpenShift Web Console: v3.10.0-0.28.0 --- Additional comment from on 2018-04-26 01:36:44 EDT --- In the backend , run command as normal user , got the following error. [zitang@dhcp-140-42 ~]$ oc get clusterserviceclass Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang2" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: User "zitang2" cannot list all clusterserviceclasses.servicecatalog.k8s.io in the cluster --- Additional comment from weiwei jiang on 2018-04-26 01:50:34 EDT --- FYI # oc get clusterrolebindings servicecatalog-serviceclass-viewer-binding -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: ClusterRoleBinding metadata: creationTimestamp: 2018-04-26T02:39:10Z name: servicecatalog-serviceclass-viewer-binding resourceVersion: "9803" selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/servicecatalog-serviceclass-viewer-binding uid: ffa01749-48fa-11e8-8ab2-0eddbd40f1c2 roleRef: name: servicecatalog-serviceclass-viewer subjects: - kind: SystemGroup name: system:authenticated userNames: null Workaround as following: oc patch clusterrolebindings servicecatalog-serviceclass-viewer-binding -p '{"groupNames": ["system:authenticated"]}' or oc patch clusterrolebindings servicecatalog-serviceclass-viewer-binding -p '{"groupNames": ["system:authenticated:oauth"]}' --- Additional comment from Paul Morie on 2018-04-26 09:34:41 EDT --- I have a PR to fix this when the cluster is created with oc cluster up: https://github.com/openshift/origin/pull/19460 Was this found on a cluster created with oc cluster up or with the installer? --- Additional comment from Xingxing Xia on 2018-04-27 01:57:43 EDT --- It was found on env created with ansible installer --- Additional comment from Xingxing Xia on 2018-04-27 05:25:11 EDT --- Your PR not merged yet. Tried oc cluster up env (via oc v3.10.0-0.30.0), also reproduces the bug
Jay, could you take a look at this for the scenario where the cluster is created by openshift-ansible?
fixed by https://github.com/openshift/openshift-ansible/pull/8205 (not yet merged)
https://github.com/openshift/openshift-ansible/pull/8205 just merged, next build of OCP will pick it up.
image is ready , change it to ON_QA
Verified , openshift-ansible version: v3.10.0-0.35.0.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816