search

blackducksoftware / perceivers

Kubernetes and openshift image discovery for OpsSight
Apache License 2.0
4 stars 7 forks source link

Default service account can't read pods or enumerate all the things in OpenShift 3.7 #12

Closed msenmurugan closed 6 years ago

msenmurugan commented 6 years ago

This ticket is created by @sheppduck

Brand new OCP 3.7 4 node cluster, many apps installed and running, including the perceptor - unfortunately as soon as the perceptor tried to enumerate PODs and images we see:

time="2018-02-16T21:22:02Z" level=info msg="starting pod-perceiver" | time="2018-02-16T21:22:02Z" level=info msg="starting pod controllers" | E0216 21:22:02.421656 1 reflector.go:205] github.com/blackducksoftware/perceivers/pod/pkg/controller/pod_controller.go:103: Failed to list v1.Pod: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list pods at the cluster scope: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list all pods in the cluster (get pods) | E0216 21:22:03.424139 1 reflector.go:205] github.com/blackducksoftware/perceivers/pod/pkg/controller/pod_controller.go:103: Failed to list v1.Pod: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list pods at the cluster scope: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list all pods in the cluster (get pods) | E0216 21:22:04.425714 1 reflector.go:205] github.com/blackducksoftware/perceivers/pod/pkg/controller/pod_controller.go:103: Failed to list *v1.Pod: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list pods at the cluster scope: User "system:serviceaccount:bds-perceptor:openshift-perceiver" cannot list all pods in the cluster (get pods) | E0216 21:22:05.427277 1 reflector.go:205]

over and over Nothing discovered, nothing scanned this is with @msenmurugan newest openshift install. He says it works fine on openshift ORIGIN 3.6, not OCP...

rrati commented 6 years ago

You need to give permissions to the service account. For now:

oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount::openshift-perceiver

I'll fine tune the permissions later. This is documented in the readme in the deploy/openshift dir.

rrati commented 6 years ago

Oops, double :: at the end for some reason. Fixed:

oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:[project]:openshift-perceiver

msenmurugan commented 6 years ago

Thanks @rrati. It is working fine.