Forbidden errors for knative & tekton resource in MOOC team four (and two)

davesteinberg commented 4 years ago

Describe the bug

I am seeing Forbidden errors when I try to list all resources in one of my namespaces in the MOOC cluster for team four. Johan is seeing the same thing in team two.

To Reproduce

$ oc get all -n test-ds
NAME                                              READY   STATUS    RESTARTS   AGE
pod/inventory-management-bff-ds-6b7dbd9f7-9mqm2   1/1     Running   0          22h
pod/inventory-management-svc-ds-7f446b75d-m45mz   1/1     Running   0          20h
pod/inventory-management-svc-ds-7f446b75d-n5c7h   1/1     Running   0          20h
pod/inventory-management-svc-ds-7f446b75d-rkb9q   1/1     Running   0          20h
pod/inventory-management-ui-ds-6db57dc67b-dd7t5   1/1     Running   0          18h

NAME                                  TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/inventory-management-bff-ds   ClusterIP   172.21.243.243   <none>        80/TCP    22h
service/inventory-management-svc-ds   ClusterIP   172.21.28.156    <none>        80/TCP    20h
service/inventory-management-ui-ds    ClusterIP   172.21.89.251    <none>        80/TCP    22h

NAME                                          DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/inventory-management-bff-ds   1         1         1            1           22h
deployment.apps/inventory-management-svc-ds   3         3         3            3           20h
deployment.apps/inventory-management-ui-ds    1         1         1            1           22h

NAME                                                    DESIRED   CURRENT   READY   AGE
replicaset.apps/inventory-management-bff-ds-5c796dff9   0         0         0       22h
replicaset.apps/inventory-management-bff-ds-6b7dbd9f7   1         1         1       22h
replicaset.apps/inventory-management-svc-ds-7f446b75d   3         3         3       20h
replicaset.apps/inventory-management-ui-ds-6db57dc67b   1         1         1       18h
replicaset.apps/inventory-management-ui-ds-6df49bdd85   0         0         0       21h
replicaset.apps/inventory-management-ui-ds-94dbc8bdd    0         0         0       22h
Error from server (Forbidden): podautoscalers.autoscaling.internal.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list podautoscalers.autoscaling.internal.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): images.caching.internal.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list images.caching.internal.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): extensions.dashboard.tekton.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list extensions.dashboard.tekton.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): triggers.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list triggers.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): subscriptions.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list subscriptions.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): clusterchannelprovisioners.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list clusterchannelprovisioners.eventing.knative.dev at the cluster scope: no RBAC policy matched
Error from server (Forbidden): channels.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list channels.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): brokers.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list brokers.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): eventtypes.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list eventtypes.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): certificates.networking.internal.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list certificates.networking.internal.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): serverlessservices.networking.internal.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list serverlessservices.networking.internal.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): clusteringresses.networking.internal.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list clusteringresses.networking.internal.knative.dev at the cluster scope: no RBAC policy matched
Error from server (Forbidden): routes.serving.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list routes.serving.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): revisions.serving.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list revisions.serving.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): configurations.serving.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list configurations.serving.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): services.serving.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list services.serving.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): cronjobsources.sources.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list cronjobsources.sources.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): githubsources.sources.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list githubsources.sources.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): containersources.sources.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list containersources.sources.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): apiserversources.sources.eventing.knative.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list apiserversources.sources.eventing.knative.dev in the namespace "test-ds": no RBAC policy matched
Error from server (Forbidden): clustertasks.tekton.dev is forbidden: User "IAM#davidms@ca.ibm.com" cannot list clustertasks.tekton.dev at the cluster scope: no RBAC policy matched

Expected behavior

I expect to see a list of resources with no errors.

IBM Cloud

[ ] IBM Kubernetes Service Managed Service
[X] Red Hat OpenShift Managed Services
[ ] Jenkins
[X] Tekton
[ ] SonarQube
[ ] Pact
[ ] Artifactory
[ ] IBM Image Registry

Additional context

Discussion here: https://ibm-garage.slack.com/archives/CQ2FYU9RN/p1574609553155600

mjperrins commented 4 years ago

This is related to the installation of ICP4A and other content, the RBAC rules need to be updated for the clusters, we will resolve this before Session 2 started on Monday @csantanapr @seansund

jmereaux commented 4 years ago

Gave it another try this morning and seems like the errors seen before are now gone.

davesteinberg commented 4 years ago

I'm still seeing the errors in team four.

mjperrins commented 4 years ago

We have not updated the RBAC rules working on that now

cloud-native-toolkit / planning

Forbidden errors for knative & tekton resource in MOOC team four (and two) #4