Cluster deploy timing issue may leave role bindings missing for hours
rtheis opened this issue · 1 comments
rtheis commented
There is a timing issue that may leave role bindings (see example OpenShift API server logs below) missing for hours after a cluster deployment. The missing shared-resource-viewers
role binding causes oc new-app --name myapp https://github.com/openshift/nodejs-ex.git
to fail
to build due to error error: build error: After retrying 2 times, Pull image still failed due to error: unauthorized: authentication required
. There are likely other impacts beyond this example. Eventually the missing role bindings are created hours later thus allowing oc new-app
to work.
E0413 16:44:39.080537 1 storage_rbac.go:316] unable to reconcile rolebinding.rbac.authorization.k8s.io/shared-resource-viewers in openshift: rolebindings.rbac.authorization.k8s.io "shared-resource-viewers" is forbidden: could not list rolebinding restrictions: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)
E0413 16:42:58.333934 1 storage_rbac.go:316] unable to reconcile rolebinding.rbac.authorization.k8s.io/system:node-config-reader in openshift-node: rolebindings.rbac.authorization.k8s.io "system:node-config-reader" is forbidden: could not list rolebinding restrictions: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)
rtheis commented
Moved to openshift/ibm-roks-toolkit#22.