permission issue
Closed this issue · 3 comments
When I execute the following command:
oc adm policy add-cluster-role-to-user cluster-reader -z default
I get error:
Error from server (Forbidden): User "developer" cannot list clusterrolebindings.authorization.openshift.io at the cluster scope: User "developer" cannot list all clusterrolebindings.au
thorization.openshift.io in the cluster (get clusterrolebindings.authorization.openshift.io)
Someone suggested running it as follows:
docker exec origin oc adm policy add-cluster-role-to-user cluster-reader -z default
This is not throwing any errors but when I start prometheus I see the following in the logs:
level=error ts=2017-12-18T07:03:44.408931326Z caller=main.go:211 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:263: Failed to list *v1.Node: User \"system:serviceaccount:test:default\" cannot list nodes at the cluster scope: User \"system:serviceaccount:test:default\" cannot list all nodes in the cluster (get nodes)"
you need to login as cluster admin to be able to provide cluster-reader permissions to service account.
to login as cluster admin try oc login -u system:admin
use this command to provide permissions in right namespace oc adm policy add-cluster-role-to-user cluster-reader -z default -n <namespace>
closing this for now, re-open if needed