Workaround for auth issue

[detiber]

This PR uses the generation scripts to patch up the auth_settings configuration for the api classes.

There is still an issue with creating projects as a non-admin user, but this fixes the issue where the auth header was not being set.

[detiber]

@chouseknecht one other issue that I've found... If using a non-admin user, the get returns a 403 instead of a 404.

[chouseknecht]

@detiber, I think this coincides with what you were saying on Friday. If I oc new-project foo first, and then run my test_helloworld.yml playbook, using the non-admin user developer, the k8s modules seem to succeed.

However, the deployment eventually fails with the following error:

--> Scaling helloworld-1 to 1
-->  FailedCreate: helloworld-1 Error creating: pods "helloworld-1-" is forbidden: unable to validate against any security context constraint: [seLinuxOptions.level: Invalid value: "": seLinuxOptions.level on  does not match required level.  Found , wanted s0:c9,c4 seLinuxOptions.level: Invalid value: "": seLinuxOptions.level on helloworld does not match required level.  Found , wanted s0:c9,c4]
error: couldn't scale helloworld-1 to 1: timed out waiting for "helloworld-1" to be synced

Conclusions

• By creating the project first, outside of the k8s modules, the 403 error goes aways.
• There's definitely something missing when we create a project via thek8s_v1_project.pymodule. Like you said, we're not creating the project from a template. I imagine what may be missing is some security policy stuff. I'll see if I can do some comparisons and pin it down.
• Deployments are failing. Not sure why. I believe, if I create the project first, and use the admin user, the deployment will succeed.

[chouseknecht]

@detiber,

Encountering the same deployment failure when logged in as system:admin.

Steps to reproduce

• oc login -u system:admin
• oc new-project foo
• ansible-playbook test_helloworld.yml

Resulting error

--> Scaling helloworld-1 to 1
-->  FailedCreate: helloworld-1 Error creating: pods "helloworld-1-" is forbidden: unable to validate against any security context constraint: [seLinuxOptions.level: Invalid value: "": seLinuxOptions.level on  does not match required level.  Found , wanted s0:c10,c0 seLinuxOptions.level: Invalid value: "": seLinuxOptions.level on helloworld does not match required level.  Found , wanted s0:c10,c0]
error: couldn't scale helloworld-1 to 1: timed out waiting for "helloworld-1" to be synced

[chouseknecht]

@detiber, figured out the issue with the deployment. Kinda.

The issue is that we're not specifying a default se_linux_options_level in pod_security_context. Because nothing gets passed in at the playbook level, we end up sending a null to the API. However, if I pass in pod_security_context_se_linux_options_level: "s0:c6,c5" then the deployment works.

Two things come to mind...

• When we create a deployment, meaning we're starting from an empty object, and updating it with module parameters, maybe we need to supply some defaults? What I've learned from testing:

  • default trigger, when none are specified
  • default the pod_security_context_se_linux_options_level to "s0:c6,c5" - no idea that means, but it works

• Or, are we doing it wrong in the Ansible helper? Maybe instead of passing null, the property shouldn't be there at all. Maybe we're preventing the API from supplying sane defaults?

[chouseknecht]

@detiber,

It seems to be the latter. If instead of passing a model object to the create method, I pass a JSON request body with just the parameter values, it works. The default trigger and default se_linux_option _level are provided by the API.