Security error in provision new bundle

Question

Security error in provision new bundle

Asgoret opened this issue 6 years ago · 6 comments

Hi!
I'd try today to change ansible module from kubernetes module to asb module and catch access error in deployment. I try:

Run apb provision from:
- system:admin
- developer
- developer (with cluster-admin policy)
Run openshift-permissions.template.yaml
run in different projects:
- openshift
- test (my create project)
Run through:
- GUI
- CLI
Run with different sandbox roles:
- admin
- edit

My system:

minishift v1.27.0+707887e

oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-11-20T19:51:55Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Logs output:

TASK [nginx-simple : Create NGINX Example deployment config] *******************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io is forbidden: User \\\"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope: no RBAC policy matched\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403}

Answer 1 · 2018-11-27T15:07:35.000Z

"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope

Odd. This makes me think there may be a problem with your task. Could you link please to the APB (specifically the task) that is failing?

Answer 2 · 2018-11-27T15:40:21.000Z

@djzager hi! I try to run this command:

apb bundle provision nginx-simple --follow

I tried it under different users (like admins, cluster-admins, base-user) but all of then get this error.

Answer 3 · 2018-11-27T16:15:42.000Z

@Asgoret Apologies for not being clear. I meant the source for this nginx-simple APB you are running. I would like to see the Ansible you have written for the task Create NGINX Example deployment config.

Answer 4 · 2018-11-27T20:05:21.000Z

@djzager I hope not full playbook)
main.yml

- name: Read definition file from the Ansible controller file system
  k8s:
    state: present
    definition: "{{ lookup('template', 'deployment-config.yaml') }}"

and deployment config

kind: DeploymentConfig
apiVersion: v1
name: nginx-simple
namespace: '{{ namespace }}'
state: present
labels:
  app: '{{ namespace }}'
  service: nginx-simple
replicas: 1
selector:
  app: '{{ namespace }}'
  service: nginx-simple
spec_template_metadata_labels:
  app: '{{ namespace }}'
  service: nginx-simple
containers:
  - image: docker.io/twalter/openshift-nginx
    name: nginx-simple
    ports:
      - container_port: 8080
        protocol: TCP
    volumeMounts:
      - mountPath: /etc/nginx/conf.d
        name: configuration
restart_policy: Always
volumes:
  - name: configuration
    configMap:
      name: nginx-conf
      items:
        - key: nginx-conf
          path: default.conf

And provision.yml

- name: nginx-simple playbook to provision the application
  hosts: localhost
#  strategy: debug
  gather_facts: false
  connection: local
  vars:
    apb_action: provision
  roles:
  - ansibleplaybookbundle.asb-modules
  - nginx-simple

Answer 5 · 2018-11-27T20:30:55.000Z

Could you put the name and namespace in metadata, remove state (example below) and report back?

Edit: looks like more needs to be updated than I originally thought. Here is a good example of a deployment(config) template.

---
kind: DeploymentConfig
apiVersion: v1
metadata:
  name: nginx-simple
  namespace: '{{ namespace }}'
labels:
  app: '{{ namespace }}'
  service: nginx-simple
replicas: 1
selector:
  app: '{{ namespace }}'
  service: nginx-simple
spec_template_metadata_labels:
  app: '{{ namespace }}'
  service: nginx-simple
containers:
  - image: docker.io/twalter/openshift-nginx
    name: nginx-simple
    ports:
      - container_port: 8080
        protocol: TCP
    volumeMounts:
      - mountPath: /etc/nginx/conf.d
        name: configuration
restart_policy: Always
volumes:
  - name: configuration
    configMap:
      name: nginx-conf
      items:
        - key: nginx-conf
          path: default.conf

Answer 6 · 2018-11-27T21:21:12.000Z

@djzager yeah...ok i will do it tomorrow but i understand correctly that the default yaml from openshift doesn't work with APB and all kinds must be rewrite to APB style?

EDIT: Yeah...it's my template problem. Ths for help)