Bug 1740332 - OLM should install the operator for user defined Service Account for OperatorGroup after granting the proper permissions
Summary: OLM should install the operator for user defined Service Account for Operator...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: Evan Cordell
QA Contact: Bruno Andrade
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-12 17:05 UTC by Bruno Andrade
Modified: 2019-10-16 06:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:35:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-lifecycle-manager pull 1006 0 None None None 2019-08-23 20:39:25 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:35:53 UTC

Description Bruno Andrade 2019-08-12 17:05:06 UTC 
Description of problem:

If a service account does not have the proper roles to install the operator,  it will fail. But after granting the proper role/role binding, it still not installs the subscription unless it is recreated.


Version-Release number of selected component (if applicable):
4.2.0-0.nightly-2019-08-08-103722

2. Create a service account
oc create sa scoped -n  test-operators

3. Create the Operator Group schema
 oc create -f - <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: test-operators-og
  namespace: test-operators
spec:
  serviceAccountName: scoped
  targetNamespaces:
  - test-operators
EOF

4. Create the configmap and the CatalogSource
 
oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/configmap/configmap_etcd.yaml
oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/catalogsource/catalogsource.yaml

5) Create the subscription, as below:
 oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/subscription/test.yaml

Check that the installplan fails
oc get ip install-spx2s -o yaml

apiVersion: operators.coreos.com/v1alpha1
kind: InstallPlan
status:
  catalogSources:
    - installed-community-global-operators
  conditions:
  - lastTransitionTime: "2019-08-10T05:28:56Z"
    lastUpdateTime: "2019-08-10T05:28:56Z"
    message: 'error creating csv etcdoperator.v0.9.2: clusterserviceversions.operators.coreos.com
      is forbidden: User "system:serviceaccount:test-operators:scoped" cannot create
      resource "clusterserviceversions" in API group "operators.coreos.com" in the
      namespace "test-operators"'
    reason: InstallComponentFailed
    status: "False"
    type: Installed
  phase: Failed


6. Grant the proper permissions to the service account
oc create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: scoped
  namespace: test-operators
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"] 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: scoped-bindings
  namespace: test-operators
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: scoped
subjects:
- kind: ServiceAccount
  name: scoped
  namespace: test-operators
EOF



7. Check the InstalPlan status again
Even after granting the permissions (waited 30 minutes), the operator is not installed, is it a bug? If I recreate the subscription object it installs the operator successfully.

oc get subs etcd-etcdoperator.v0.9.2 -o yaml
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  creationTimestamp: "2019-08-10T05:28:56Z"
  generation: 1
  name: etcd-etcdoperator.v0.9.2
  namespace: test-operators
  resourceVersion: "146219"
  selfLink: /apis/operators.coreos.com/v1alpha1/namespaces/test-operators/subscriptions/etcd-etcdoperator.v0.9.2
  uid: bf930f50-bb2f-11e9-9ef9-027f3154da94
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: etcd
  source: installed-community-global-operators
  sourceNamespace: test-operators
  startingCSV: etcdoperator.v0.9.2
status:
  catalogHealth:
  - catalogSourceRef:
      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      name: certified-operators
      namespace: openshift-marketplace
      resourceVersion: "12289"
      uid: 43b96b74-bae9-11e9-9f26-06865eae54b8
    healthy: true
    lastUpdated: "2019-08-10T05:28:56Z"
  - catalogSourceRef:
      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      name: community-operators
      namespace: openshift-marketplace
      resourceVersion: "12288"
      uid: 4284985b-bae9-11e9-9f26-06865eae54b8
    healthy: true
    lastUpdated: "2019-08-10T05:28:56Z"
  - catalogSourceRef:
      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      name: redhat-operators
      namespace: openshift-marketplace
      resourceVersion: "12287"
      uid: 42e2c1bc-bae9-11e9-9f26-06865eae54b8
    healthy: true
    lastUpdated: "2019-08-10T05:28:56Z"
  - catalogSourceRef:
      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      name: installed-community-global-operators
      namespace: test-operators
      resourceVersion: "141572"
      uid: bf2b20bf-bb2d-11e9-aa52-0a9d60fde676
    healthy: true
    lastUpdated: "2019-08-10T05:28:56Z"
  conditions:
  - lastTransitionTime: "2019-08-10T05:28:56Z"
    message: all available catalogsources are healthy
    reason: AllCatalogSourcesHealthy
    status: "False"
    type: CatalogSourcesUnhealthy
  - lastTransitionTime: "2019-08-10T05:28:57Z"
    reason: InstallComponentFailed
    status: "True"
    type: InstallPlanFailed
  currentCSV: etcdoperator.v0.9.2
  installPlanRef:
    apiVersion: operators.coreos.com/v1alpha1
    kind: InstallPlan
    name: install-spx2s
    namespace: test-operators
    resourceVersion: "146214"
    uid: bf973980-bb2f-11e9-9ef9-027f3154da94
  installplan:
    apiVersion: operators.coreos.com/v1alpha1
    kind: InstallPlan
    name: install-spx2s
    uuid: bf973980-bb2f-11e9-9ef9-027f3154da94
  lastUpdated: "2019-08-10T05:28:57Z"
  state: UpgradePending

oc get ip install-spx2s -o yaml

apiVersion: operators.coreos.com/v1alpha1
kind: InstallPlan
status:
  catalogSources:
    - installed-community-global-operators
  conditions:
  - lastTransitionTime: "2019-08-10T05:28:56Z"
    lastUpdateTime: "2019-08-10T05:28:56Z"
    message: 'error creating csv etcdoperator.v0.9.2: clusterserviceversions.operators.coreos.com
      is forbidden: User "system:serviceaccount:test-operators:scoped" cannot create
      resource "clusterserviceversions" in API group "operators.coreos.com" in the
      namespace "test-operators"'
    reason: InstallComponentFailed
    status: "False"
    type: Installed
  phase: Failed

oc get csv
No resources found.


Actual results:
If a service account does not have the proper roles to install the operator, it will fail. But after granting the proper role/role binding,  it still not installs the subscription unless it is recreated.

Expected results:
It should install the operator after granting the role/role binding to the service account.
Comment 2 Abu Kashem 2019-08-20 17:12:06 UTC 
Yes, this is a known issue. If you recreate the subscription the operator will install successfully. I have created a corresponding JIRA issue here - https://jira.coreos.com/browse/OLM-1244.
Comment 4 Bruno Andrade 2019-08-27 17:52:39 UTC 
LGTM, Marking as VERIFIED.

Steps used to validate:

1. Create the namespace test-operators
oc create ns test-operators

2. Create a service account
oc create sa scoped -n  test-operators

3. Create the Operator Group schema
oc create -f - <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: test-operators-og
  namespace: test-operators
spec:
  serviceAccountName: scoped
  targetNamespaces:
  - test-operators
EOF

4. Create the Configmap and the CatalogSource

oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/configmap/configmap_etcd.yaml -n openshift-marketplace
oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/catalogsource/catalogsource.yaml -n openshift-marketplace

5. Create the Subscription, as below:
oc create -f https://raw.githubusercontent.com/bandrade/v3-testfiles/v4.1/olm/subscription/test.yaml -n test-operators

It's expected that csv installation fails due to the missing permissions of the scoped service account.

oc get csv -n test-operators
No resources found.

oc get ip -n test-operators 
NAME            CSV                   SOURCE   APPROVAL    APPROVED
install-xkhjm   etcdoperator.v0.9.2            Automatic   true


oc get ip install-xkhjm -n test-operators -o yaml | grep -A 10 "conditions:"
  conditions:
  - lastTransitionTime: "2019-08-27T17:40:16Z"
    lastUpdateTime: "2019-08-27T17:41:23Z"
    message: 'error creating csv etcdoperator.v0.9.2: clusterserviceversions.operators.coreos.com
      is forbidden: User "system:serviceaccount:test-operators:scoped" cannot create
      resource "clusterserviceversions" in API group "operators.coreos.com" in the
      namespace "test-operators"'
    reason: InstallComponentFailed
    status: "False"
    type: Installed
  phase: Failed


6. Grant the proper permissions to the service account
oc create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: scoped
  namespace: test-operators
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"] 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: scoped-bindings
  namespace: test-operators
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: scoped
subjects:
- kind: ServiceAccount
  name: scoped
  namespace: test-operators
EOF

7- At this time, the csv should be installed successfully
oc get csv -n test-operators
NAME                  DISPLAY   VERSION   REPLACES   PHASE
etcdoperator.v0.9.2   etcd      0.9.2                Succeeded

---- 

Cluster Details:

	Cluster Version:
		oc get clusterversion -o json|jq ".items[0].status.history[0].version"
		"4.2.0-0.nightly-2019-08-26-235330"
	
	OLM Version:
		oc exec olm-operator-bcbb85b76-wwn7w -n openshift-operator-lifecycle-manager -- olm -version
		OLM version: 0.11.0
		git commit: 414ead11612825cabf3fb44323b7018af04ada14
Comment 5 errata-xmlrpc 2019-10-16 06:35:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.