cant use cluster-admin role in apb sandbox

[karmab]

This form is for bug reports and feature requests. Major features will go through a spec process.

Bug:

What happened:
provisioning failed

What you expected to happen:
launch a serviceinstance with cluster-admin role for the apb

How to reproduce it:
set sandbox_role to cluster-admin in the asb service map ( and delete pods so they get recreated). launch a service instance.
this is the traceback https://pastebin.com/yiJMLWSH

[eriknelson]

The SA that the broker runs as (asb) has admin privileges by default: https://github.com/openshift/ansible-service-broker/blob/master/templates/deploy-ansible-service-broker.template.yaml#L50

It's not going to be able to apply roles to the sandbox SA that are of a higher privilege than itself. How are you deploying the broker? Could you try to bump the broker's privilege to cluster-admin on the line I linked and try this again?

[rthallisey]

Pasting in a portion of the error:

2018-01-30T13:49:53.372Z] [DEBUG] - plan_id: 3bec808b3f9187629c19eb04a535a72e
[2018-01-30T13:49:53.372Z] [DEBUG] - operation:  3d3c2cc8-6ccf-4255-a864-e5d32ee11091
[2018-01-30T13:49:53.373Z] [DEBUG] - state: in progress
172.17.0.4 - - [30/Jan/2018:13:49:53 +0000] "GET /ansible-service-broker/v2/service_instances/eff98032-96fe-400f-ac37-ab616ee4b2ee/last_operation?operation=3d3c2cc8-6ccf-4255-a864-e5d32ee11091&plan_id=3bec808b3f9187629c19eb04a535a72e&service_id=af83f445d6aae48fbb4f58cca8368593 HTTP/1.1" 200 29
[2018-01-30T13:49:53.446Z] [ERROR] - rolebindings.rbac.authorization.k8s.io "apb-9377b595-08be-44c2-99ad-de208ec5c1c2" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["*"], APIGroups:["*"], Verbs:["*"]} PolicyRule{NonResourceURLs:["*"], Verbs:["*"]}] user=&{system:serviceaccount:ansible-service-broker:asb 1688c70f-05b6-11e8-80e1-52540004a6bc [system:serviceaccounts system:serviceaccounts:ansible-service-broker system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["pods" "pods/attach" "pods/exec" "pods/portforward" "pods/proxy"], APIGroups:[""], 
...

It turns out this error is from the broker failing to create the rolebinding for the role 'cluster-admin'. In order to get past this error, the asb service account needs higher permissions. By default, the asb service account is admin and it needs cluster-admin.

oc adm policy add-cluster-role-to-user cluster-admin -n ansible-service-broker -z asb

However, this doesn't mean the apb that requires cluster-admin is going to work. The apb has cluster-admin permissions inside a rolebinding. In other words, the apb has cluster-admin permissions in it's own namespace. In order to create cluster level resources, the apb should be give a clusterrolebinding with the apb_sandbox_role config value. I'll follow up with a PR to add this capability and we'll track discussion in #576.