Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security error in provision new bundle #1139

Closed
Asgoret opened this issue Nov 27, 2018 · 6 comments
Closed

Security error in provision new bundle #1139

Asgoret opened this issue Nov 27, 2018 · 6 comments

Comments

@Asgoret
Copy link

Asgoret commented Nov 27, 2018

Hi!
I'd try today to change ansible module from kubernetes module to asb module and catch access error in deployment. I try:

  1. Run apb provision from:
    • system:admin
    • developer
    • developer (with cluster-admin policy)
  2. Run openshift-permissions.template.yaml
  3. run in different projects:
    • openshift
    • test (my create project)
  4. Run through:
    • GUI
    • CLI
  5. Run with different sandbox roles:
    • admin
    • edit

My system:

minishift v1.27.0+707887e

oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-11-20T19:51:55Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Logs output:

TASK [nginx-simple : Create NGINX Example deployment config] *******************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io is forbidden: User \\\"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope: no RBAC policy matched\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403}
@djzager
Copy link
Member

djzager commented Nov 27, 2018

"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope

Odd. This makes me think there may be a problem with your task. Could you link please to the APB (specifically the task) that is failing?

@Asgoret
Copy link
Author

Asgoret commented Nov 27, 2018
edited

@djzager hi! I try to run this command:

apb bundle provision nginx-simple --follow

I tried it under different users (like admins, cluster-admins, base-user) but all of then get this error.

@djzager
Copy link
Member

djzager commented Nov 27, 2018

@Asgoret Apologies for not being clear. I meant the source for this nginx-simple APB you are running. I would like to see the Ansible you have written for the task Create NGINX Example deployment config.

@Asgoret
Copy link
Author

Asgoret commented Nov 27, 2018
edited

@djzager I hope not full playbook)
main.yml

- name: Read definition file from the Ansible controller file system
  k8s:
    state: present
    definition: "{{ lookup('template', 'deployment-config.yaml') }}"

and deployment config

kind: DeploymentConfig
apiVersion: v1
name: nginx-simple
namespace: '{{ namespace }}'
state: present
labels:
  app: '{{ namespace }}'
  service: nginx-simple
replicas: 1
selector:
  app: '{{ namespace }}'
  service: nginx-simple
spec_template_metadata_labels:
  app: '{{ namespace }}'
  service: nginx-simple
containers:
  - image: docker.io/twalter/openshift-nginx
    name: nginx-simple
    ports:
      - container_port: 8080
        protocol: TCP
    volumeMounts:
      - mountPath: /etc/nginx/conf.d
        name: configuration
restart_policy: Always
volumes:
  - name: configuration
    configMap:
      name: nginx-conf
      items:
        - key: nginx-conf
          path: default.conf

And provision.yml

- name: nginx-simple playbook to provision the application
  hosts: localhost
#  strategy: debug
  gather_facts: false
  connection: local
  vars:
    apb_action: provision
  roles:
  - ansibleplaybookbundle.asb-modules
  - nginx-simple

@djzager
Copy link
Member

djzager commented Nov 27, 2018
edited

Could you put the name and namespace in metadata, remove state (example below) and report back?

Edit: looks like more needs to be updated than I originally thought. Here is a good example of a deployment(config) template.

---
kind: DeploymentConfig
apiVersion: v1
metadata:
  name: nginx-simple
  namespace: '{{ namespace }}'
labels:
  app: '{{ namespace }}'
  service: nginx-simple
replicas: 1
selector:
  app: '{{ namespace }}'
  service: nginx-simple
spec_template_metadata_labels:
  app: '{{ namespace }}'
  service: nginx-simple
containers:
  - image: docker.io/twalter/openshift-nginx
    name: nginx-simple
    ports:
      - container_port: 8080
        protocol: TCP
    volumeMounts:
      - mountPath: /etc/nginx/conf.d
        name: configuration
restart_policy: Always
volumes:
  - name: configuration
    configMap:
      name: nginx-conf
      items:
        - key: nginx-conf
          path: default.conf

@Asgoret
Copy link
Author

Asgoret commented Nov 27, 2018
edited

@djzager yeah...ok i will do it tomorrow but i understand correctly that the default yaml from openshift doesn't work with APB and all kinds must be rewrite to APB style?

EDIT: Yeah...it's my template problem. Ths for help)

@Asgoret Asgoret closed this as completed Nov 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djzager @Asgoret