Bug 1625147
| Summary: | [olm] the alm-operator crashed with the "admin" permission | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jian Zhang <jiazha> |
| Component: | OLM | Assignee: | Evan Cordell <ecordell> |
| Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.11.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-11 07:25:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The aggregate-olm-edit and aggregate-olm-view roles should be automatically collected by the global "view" and "edit" clusterroles. To make sure this is working, you should be able to `oc get clusterrole view` and see the rules from aggregate-olm-view there, and you should be able to `oc get clusterrole edit` and see the rules from aggregate-olm-edit there as well. Install the OLM by using the openshift-ansible master branch. LGTM, verify it, thanks! [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole view -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - get - list - watch [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole edit -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole admin -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652 |
Description of problem: When grants the "admin" permission to the "olm-operator-serviceaccount". The alm-operator crashed. "error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched" Maybe something wrong in our created clusterrole "aggregate-olm-edit" and "aggregate-olm-view". Version-Release number of selected component (if applicable): quay.io/coreos/olm@sha256:44b445850b3e612c062424c3727bb85048ec8e71407b39985786d29aa20f5c79 quay.io/coreos/catalog@sha256:20886d49205aa8d8fd53f1c85fad6a501775226da25ef14f51258b7066e91064 How reproducible: always Steps to Reproduce: 1. Delete the clusterrolebinding "olm-operator-binding-operator-lifecycle-manager". 2. Grants the "admin" permission to the serviceaccount "olm-operator-serviceaccount" # oc adm policy add-cluster-role-to-user admin -z olm-operator-serviceaccount 3. Restart the alm-operator. Actual results: The alm-operator crashed. [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get pods NAME READY STATUS RESTARTS AGE alm-operator-798c765f5c-9rp8t 0/1 CrashLoopBackOff 7 15m catalog-operator-548958ff7f-jk8lr 1/1 Running 0 1m [root@qe-jiazha-master-etcd-nfs-001 ~]# oc logs -f alm-operator-798c765f5c-9rp8t time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config" time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config" time="2018-09-04T08:21:23Z" level=fatal msg="error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched" Expected results: The olm can work well with the "admin" permission. Additional info: [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-edit -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-04T03:01:13Z labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: aggregate-olm-edit resourceVersion: "34811" selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-edit uid: c84db4dd-afee-11e8-95dd-00163e0043ec rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-view -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-04T03:01:15Z name: aggregate-olm-view resourceVersion: "34193" selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-view uid: c997b9d1-afee-11e8-95dd-00163e0043ec rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - get - list - watch