Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security error in provision new bundle #143

Closed
Asgoret opened this issue Nov 26, 2018 · 4 comments
Closed

Security error in provision new bundle #143

Asgoret opened this issue Nov 26, 2018 · 4 comments

Comments

@Asgoret
Copy link

Asgoret commented Nov 26, 2018
edited
Loading

Hi!
I'd try today to change ansible module from kubernetes module to asb module and catch access error in deployment. I try:

  1. Run apb provision from:
    • system:admin
    • developer
    • developer (with cluster-admin policy)
  2. Run openshift-permissions.template.yaml
  3. run in different projects:
    • openshift
    • test (my create project)
  4. Run through:
    • GUI
    • CLI
  5. Run with different sandbox roles:
    • admin
    • edit

My system:

minishift v1.27.0+707887e

oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-11-20T19:51:55Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Logs output:

TASK [nginx-simple : Create NGINX Example deployment config] *******************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io is forbidden: User \\\"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope: no RBAC policy matched\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403}
@Asgoret
Copy link
Author

Asgoret commented Nov 26, 2018

Hi @dymurray! Can you help with it plz?

@dymurray
Copy link
Contributor

I can't know for sure what is going on without more information about the logged in user. The logged in user must not be a cluster-admin and must have a valid token (i.e. oc whoami -t returns a valid token).

The logged in user must also be the user who created the namespace that the bundle is running in. If you can provide me more info about the logged in user that will help me try and replicate.

@Asgoret
Copy link
Author

Asgoret commented Nov 27, 2018

@dymurray Yeah...I tried to use difference user (like test), create new project and it didn't help. oc whoami -t return a token... Which information you need? If it matters, i use minishift on macOS

@Asgoret
Copy link
Author

Asgoret commented Nov 28, 2018
edited
Loading

@dymurray ok...seems i found error. I was logged like oc login -u test -p test and needed to login oc login https://192.168.64.47:8443 --token=AzmpyxdqUGxahINDbIu1Fb5s6AMuEvgQLJYDFfmG090 via token...i don't know, but seems it's kind of bug

EDIT: Nope....doesn't help

EDIT#2: Find problem. It was incorrect template.

@Asgoret Asgoret closed this as completed Nov 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dymurray @Asgoret