Description of problem: When grants the "admin" permission to the "olm-operator-serviceaccount". The alm-operator crashed. "error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched" Maybe something wrong in our created clusterrole "aggregate-olm-edit" and "aggregate-olm-view". Version-Release number of selected component (if applicable): quay.io/coreos/olm@sha256:44b445850b3e612c062424c3727bb85048ec8e71407b39985786d29aa20f5c79 quay.io/coreos/catalog@sha256:20886d49205aa8d8fd53f1c85fad6a501775226da25ef14f51258b7066e91064 How reproducible: always Steps to Reproduce: 1. Delete the clusterrolebinding "olm-operator-binding-operator-lifecycle-manager". 2. Grants the "admin" permission to the serviceaccount "olm-operator-serviceaccount" # oc adm policy add-cluster-role-to-user admin -z olm-operator-serviceaccount 3. Restart the alm-operator. Actual results: The alm-operator crashed. [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get pods NAME READY STATUS RESTARTS AGE alm-operator-798c765f5c-9rp8t 0/1 CrashLoopBackOff 7 15m catalog-operator-548958ff7f-jk8lr 1/1 Running 0 1m [root@qe-jiazha-master-etcd-nfs-001 ~]# oc logs -f alm-operator-798c765f5c-9rp8t time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config" time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config" time="2018-09-04T08:21:23Z" level=fatal msg="error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched" Expected results: The olm can work well with the "admin" permission. Additional info: [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-edit -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-04T03:01:13Z labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: aggregate-olm-edit resourceVersion: "34811" selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-edit uid: c84db4dd-afee-11e8-95dd-00163e0043ec rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch [root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-view -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-04T03:01:15Z name: aggregate-olm-view resourceVersion: "34193" selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-view uid: c997b9d1-afee-11e8-95dd-00163e0043ec rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - get - list - watch
The aggregate-olm-edit and aggregate-olm-view roles should be automatically collected by the global "view" and "edit" clusterroles. To make sure this is working, you should be able to `oc get clusterrole view` and see the rules from aggregate-olm-view there, and you should be able to `oc get clusterrole edit` and see the rules from aggregate-olm-edit there as well.
Install the OLM by using the openshift-ansible master branch. LGTM, verify it, thanks! [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole view -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - get - list - watch [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole edit -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch [root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole admin -o yaml ... rules: - apiGroups: - operators.coreos.com attributeRestrictions: null resources: - catalogsources - clusterserviceversions - installplans - subscriptions verbs: - create - delete - get - list - patch - update - watch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652