Security error in provision new bundle
Asgoret opened this issue · 6 comments
Hi!
I'd try today to change ansible module from kubernetes module to asb module and catch access error in deployment. I try:
- Run apb provision from:
- system:admin
- developer
- developer (with cluster-admin policy)
- Run openshift-permissions.template.yaml
- run in different projects:
- openshift
- test (my create project)
- Run through:
- GUI
- CLI
- Run with different sandbox roles:
- admin
- edit
My system:
minishift v1.27.0+707887e
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-11-20T19:51:55Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Logs output:
TASK [nginx-simple : Create NGINX Example deployment config] *******************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io is forbidden: User \\\"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope: no RBAC policy matched\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403}
"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope
Odd. This makes me think there may be a problem with your task. Could you link please to the APB (specifically the task) that is failing?
@djzager hi! I try to run this command:
apb bundle provision nginx-simple --follow
I tried it under different users (like admins, cluster-admins, base-user) but all of then get this error.
@Asgoret Apologies for not being clear. I meant the source for this nginx-simple
APB you are running. I would like to see the Ansible you have written for the task Create NGINX Example deployment config
.
@djzager I hope not full playbook)
main.yml
- name: Read definition file from the Ansible controller file system
k8s:
state: present
definition: "{{ lookup('template', 'deployment-config.yaml') }}"
and deployment config
kind: DeploymentConfig
apiVersion: v1
name: nginx-simple
namespace: '{{ namespace }}'
state: present
labels:
app: '{{ namespace }}'
service: nginx-simple
replicas: 1
selector:
app: '{{ namespace }}'
service: nginx-simple
spec_template_metadata_labels:
app: '{{ namespace }}'
service: nginx-simple
containers:
- image: docker.io/twalter/openshift-nginx
name: nginx-simple
ports:
- container_port: 8080
protocol: TCP
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: configuration
restart_policy: Always
volumes:
- name: configuration
configMap:
name: nginx-conf
items:
- key: nginx-conf
path: default.conf
And provision.yml
- name: nginx-simple playbook to provision the application
hosts: localhost
# strategy: debug
gather_facts: false
connection: local
vars:
apb_action: provision
roles:
- ansibleplaybookbundle.asb-modules
- nginx-simple
Could you put the name
and namespace
in metadata, remove state
(example below) and report back?
Edit: looks like more needs to be updated than I originally thought. Here is a good example of a deployment(config) template.
---
kind: DeploymentConfig
apiVersion: v1
metadata:
name: nginx-simple
namespace: '{{ namespace }}'
labels:
app: '{{ namespace }}'
service: nginx-simple
replicas: 1
selector:
app: '{{ namespace }}'
service: nginx-simple
spec_template_metadata_labels:
app: '{{ namespace }}'
service: nginx-simple
containers:
- image: docker.io/twalter/openshift-nginx
name: nginx-simple
ports:
- container_port: 8080
protocol: TCP
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: configuration
restart_policy: Always
volumes:
- name: configuration
configMap:
name: nginx-conf
items:
- key: nginx-conf
path: default.conf