Description of problem: Running OpenShift Container Platform 3.9, the command `oc rollout history statefulset/<statefulset>` is failing with the below error. error: unable to find history controlled by StatefulSet <statefulset>: controllerrevisions.apps is forbidden: User "test" cannot list controllerrevisions.apps in the namespace "project": User "test" cannot list controllerrevisions.apps in project "project" Checking on `master-api` logs, the following is reported. Dec 11 08:50:59 master-0.example.com atomic-openshift-master-api[86611]: I1211 08:50:59.883742 86611 rbac.go:116] RBAC DENY: user "test" groups ["system:authenticated:oauth" "system:authenticated"] cannot "list" resource "controllerrevisions.apps" in namespace "project" $ oc get rolebinding -n project NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin system:admin admin-0 /admin test Looking upstream, I can see the following issue and fix + https://github.com/kubernetes/kubernetes/issues/70697 + https://github.com/kubernetes/kubernetes/pull/70699 Looks quite similar to what we have in this case. But the fix from https://github.com/kubernetes/kubernetes/pull/70699 does not seem to work. Added `controllerrevisions` to `apps` API group in `system:aggregate-to-view` but that does not help: # oc get clusterrole system:aggregate-to-view -o yaml | grep -b5 controllerrevisions 1166- - watch 1176-- apiGroups: 1189- - apps 1198- attributeRestrictions: null 1228- resources: 1241: - controllerrevisions 1265- - daemonsets 1280- - deployments 1296- - deployments/scale 1318- - replicasets 1334- - replicasets/scale Version-Release number of selected component (if applicable): v3.9.51 How reproducible: Always Steps to Reproduce: 1. Create a statefulset within the OpenShift Container Platform - Cluster (specific project) 2. Add `admin` role to user 3. oc rollout history statefulset/<statefulset> Actual results: error: unable to find history controlled by StatefulSet <statefulset>: controllerrevisions.apps is forbidden: User "test" cannot list controllerrevisions.apps in the namespace "project": User "test" cannot list controllerrevisions.apps in project "project" Expected results: Revision histroy to be deployed (works with `cluster-admin` permissions) oc rollout history statefulset/<statefulset> -n project statefulsets "<statefulset>" REVISION 0 1 Additional info:
I believe this was solved on Slack by "repeat add `controllerrevisions` to `apps` API group in `system:aggregate-to-view`" for `system:aggregate-to-edit` and `system:aggregate-to-admin`" I'll close this BZ tomorrow unless that did not work for you.
(In reply to Standa Laznicka from comment #2) > I believe this was solved on Slack by > "repeat add `controllerrevisions` to `apps` API group in > `system:aggregate-to-view`" for `system:aggregate-to-edit` and > `system:aggregate-to-admin`" > > I'll close this BZ tomorrow unless that did not work for you. Tested this and it seems to address the issue.