Description of problem: Executing testcase OCP-26035(Idling/Unidling services on sdn/OVN), when testing idling service, it reports error as below: error: unable to mark service "4s5jp/test-service" as idled: endpoints "test-service" is forbidden: User "testuser-0" cannot patch resource "endpoints" in API group "" in the namespace "4s5jp" But pods are removed and service is marked idle. Version-Release number of selected component (if applicable): % oc version Client Version: 4.9.0-0.nightly-2021-08-18-144658 Server Version: 4.9.0-0.nightly-2021-08-18-084341 Kubernetes Version: v1.22.0-rc.0+f967870 How reproducible: always Steps to Reproduce: 1. login cluster via normal user (non-admin), and create new project 2. create service: oc create -f list_for_pods.json { "apiVersion": "v1", "kind": "List", "items": [ { "apiVersion": "v1", "kind": "ReplicationController", "metadata": { "labels": { "name": "test-rc" }, "name": "test-rc" }, "spec": { "replicas": 2, "template": { "metadata": { "labels": { "name": "test-pods" } }, "spec": { "containers": [ { "image": "quay.io/openshifttest/hello-sdn@sha256:d5785550cf77b7932b090fcd1a2625472912fb3189d5973f177a5a2c347a1f95", "name": "test-pod", "imagePullPolicy": "IfNotPresent", "resources":{ "limits":{ "memory":"340Mi" } } } ] } } } }, { "apiVersion": "v1", "kind": "Service", "metadata": { "labels": { "name": "test-service" }, "name": "test-service" }, "spec": { "ports": [ { "name": "http", "port": 27017, "protocol": "TCP", "targetPort": 8080 } ], "selector": { "name": "test-pods" } } } ] } 3. checking pods, service % oc get pods NAME READY STATUS RESTARTS AGE test-rc-88w7n 1/1 Running 0 4s test-rc-q2949 1/1 Running 0 4s lilia@liliadeMacBook-Pro mytest % oc get service test-service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-service ClusterIP 172.30.219.250 <none> 27017/TCP 13s % oc describe service Name: test-service Namespace: eee Labels: name=test-service Annotations: <none> Selector: name=test-pods Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 172.30.219.250 IPs: 172.30.219.250 Port: http 27017/TCP TargetPort: 8080/TCP Endpoints: 10.128.2.126:8080,10.129.2.107:8080 Session Affinity: None Events: <none> 4. idle service % oc idle test-service error: unable to mark service "eee/test-service" as idled: endpoints "test-service" is forbidden: User "testuser-0" cannot patch resource "endpoints" in API group "" in the namespace "eee"ReplicationController "eee/test-rc" has been idled 5. checking pods and service % oc get pods No resources found in eee namespace. % oc describe serivce test-service error: the server doesn't have a resource type "serivce" % oc describe service test-service Name: test-service Namespace: eee Labels: name=test-service Annotations: idling.alpha.openshift.io/idled-at: 2021-08-19T09:18:24Z idling.alpha.openshift.io/unidle-targets: [{"kind":"ReplicationController","name":"test-rc","replicas":2}] Selector: name=test-pods Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 172.30.219.250 IPs: 172.30.219.250 Port: http 27017/TCP TargetPort: 8080/TCP Endpoints: <none> Session Affinity: None Events: <none> % oc get endpoints NAME ENDPOINTS AGE test-service <none> 23m Actual results: reporting error when idling service Expected results: no error Additional info:
Only OCP admins can idle services. You can reference these docs for more information if needed. https://docs.openshift.com/container-platform/3.3/admin_guide/idling_applications.html#:~:text=As%20an%20OpenShift%20Container%20Platform,involves%20idling%20all%20associated%20resources.
Hi Ben, Thanks for sharing the doc. But one issue is that the service is idled and pods are removed even though an error is reported when idling service using non-admin users. Please see reproduce steps 4 and 5. Thanks, Ying
and this works well in 4.8/4.7
This is the same as bug 1989423
as mentioned in 1989423 this needs a fix to the permissions and admission controllers in openshift/kubernetes. I'm working on this.
As per #comment 5, closing this as a dupe. *** This bug has been marked as a duplicate of bug 1989423 ***
There are like 17 different bugs about this. I guess we can keep this open if we want to specifically ensure that ci tests "normal users can idle services" after the fix (although 1989423 is also testing that, just hidden several layers down) *** This bug has been marked as a duplicate of bug 1989423 ***
*** Bug 1996534 has been marked as a duplicate of this bug. ***