Security error in provision new bundle

[Asgoret]

Hi! I'd try today to change ansible module from kubernetes module to asb module and catch access error in deployment. I try: 1) Run apb provision from:

• system:admin
• developer
• developer (with cluster-admin policy) 2) Run openshift-permissions.template.yaml 3) run in different projects:
• openshift
• test (my create project) 4) Run through:
• GUI
• CLI 5) Run with different sandbox roles:
• admin
• edit

My system:

minishift v1.27.0+707887e

oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-11-20T19:51:55Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Logs output:

TASK [nginx-simple : Create NGINX Example deployment config] *******************
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io is forbidden: User \\\"system:serviceaccount:openshift:bundle-beac6728-019f-48d2-921d-1744d80ca9a5\\\" cannot list deploymentconfigs.apps.openshift.io at the cluster scope: no RBAC policy matched\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403}

[Asgoret]

Hi @dymurray! Can you help with it plz?

[dymurray]

I can't know for sure what is going on without more information about the logged in user. The logged in user must not be a cluster-admin and must have a valid token (i.e. oc whoami -t returns a valid token).

The logged in user must also be the user who created the namespace that the bundle is running in. If you can provide me more info about the logged in user that will help me try and replicate.

[Asgoret]

@dymurray Yeah...I tried to use difference user (like test), create new project and it didn't help. oc whoami -t return a token... Which information you need? If it matters, i use minishift on macOS

[Asgoret]

@dymurray ok...seems i found error. I was logged like oc login -u test -p test and needed to login oc login https://192.168.64.47:8443 --token=AzmpyxdqUGxahINDbIu1Fb5s6AMuEvgQLJYDFfmG090 via token...i don't know, but seems it's kind of bug

EDIT: Nope....doesn't help

EDIT#2: Find problem. It was incorrect template.