Bug 1625147 - [olm] the alm-operator crashed with the "admin" permission
Summary: [olm] the alm-operator crashed with the "admin" permission
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.0
Assignee: Evan Cordell
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-04 08:53 UTC by Jian Zhang
Modified: 2018-10-18 08:52 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-11 07:25:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2652 0 None None None 2018-10-11 07:26:13 UTC

Description Jian Zhang 2018-09-04 08:53:34 UTC 
Description of problem:
When grants the "admin" permission to the "olm-operator-serviceaccount". The alm-operator crashed.

"error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched"

Maybe something wrong in our created clusterrole "aggregate-olm-edit" and "aggregate-olm-view".

Version-Release number of selected component (if applicable):

quay.io/coreos/olm@sha256:44b445850b3e612c062424c3727bb85048ec8e71407b39985786d29aa20f5c79
 quay.io/coreos/catalog@sha256:20886d49205aa8d8fd53f1c85fad6a501775226da25ef14f51258b7066e91064

How reproducible:
always

Steps to Reproduce:
1. Delete the clusterrolebinding "olm-operator-binding-operator-lifecycle-manager".

2. Grants the "admin" permission to the serviceaccount "olm-operator-serviceaccount"
# oc adm policy add-cluster-role-to-user admin -z olm-operator-serviceaccount

3. Restart the alm-operator.

Actual results:
The alm-operator crashed.

[root@qe-jiazha-master-etcd-nfs-001 ~]# oc get pods
NAME                                READY     STATUS             RESTARTS   AGE
alm-operator-798c765f5c-9rp8t       0/1       CrashLoopBackOff   7          15m
catalog-operator-548958ff7f-jk8lr   1/1       Running            0          1m
[root@qe-jiazha-master-etcd-nfs-001 ~]# oc logs -f alm-operator-798c765f5c-9rp8t
time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config"
time="2018-09-04T08:21:23Z" level=info msg="Using in-cluster kube client config"
time="2018-09-04T08:21:23Z" level=fatal msg="error configuring operator: namespaces \"default\" is forbidden: User \"system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount\" cannot patch namespaces in the namespace \"default\": no RBAC policy matched"

Expected results:
The olm can work well with the "admin" permission.


Additional info:
[root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-edit -o yaml
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: 2018-09-04T03:01:13Z
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: aggregate-olm-edit
  resourceVersion: "34811"
  selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-edit
  uid: c84db4dd-afee-11e8-95dd-00163e0043ec
rules:
- apiGroups:
  - operators.coreos.com
  attributeRestrictions: null
  resources:
  - catalogsources
  - clusterserviceversions
  - installplans
  - subscriptions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
[root@qe-jiazha-master-etcd-nfs-001 ~]# oc get clusterrole aggregate-olm-view -o yaml
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: 2018-09-04T03:01:15Z
  name: aggregate-olm-view
  resourceVersion: "34193"
  selfLink: /apis/authorization.openshift.io/v1/clusterroles/aggregate-olm-view
  uid: c997b9d1-afee-11e8-95dd-00163e0043ec
rules:
- apiGroups:
  - operators.coreos.com
  attributeRestrictions: null
  resources:
  - catalogsources
  - clusterserviceversions
  - installplans
  - subscriptions
  verbs:
  - get
  - list
  - watch
Comment 1 Evan Cordell 2018-09-04 14:36:44 UTC 
The aggregate-olm-edit and aggregate-olm-view roles should be automatically collected by the global "view" and "edit" clusterroles.

To make sure this is working, you should be able to `oc get clusterrole view` and see the rules from aggregate-olm-view there, and you should be able to `oc get clusterrole edit` and see the rules from aggregate-olm-edit there as well.
Comment 2 Jian Zhang 2018-09-05 09:57:45 UTC 
Install the OLM by using the openshift-ansible master branch.
LGTM, verify it, thanks!

[root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole view -o yaml
...
rules:
- apiGroups:
  - operators.coreos.com
  attributeRestrictions: null
  resources:
  - catalogsources
  - clusterserviceversions
  - installplans
  - subscriptions
  verbs:
  - get
  - list
  - watch

[root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole edit -o yaml
...
rules:
- apiGroups:
  - operators.coreos.com
  attributeRestrictions: null
  resources:
  - catalogsources
  - clusterserviceversions
  - installplans
  - subscriptions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

[root@qe-jiazha-master-etcd-1 ~]# oc get clusterrole admin -o yaml
...
rules:
- apiGroups:
  - operators.coreos.com
  attributeRestrictions: null
  resources:
  - catalogsources
  - clusterserviceversions
  - installplans
  - subscriptions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
Comment 4 errata-xmlrpc 2018-10-11 07:25:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652
Note You need to log in before you can comment on or make changes to this bug.