Closed GerhardArya closed 4 years ago
GrahamDumpleton
commented
4 years ago Can you explain how it "kept conflicting with RBAC"?
You can't remove the service account parts as that grants it the ability to talk to the REST API of the cluster to deploy things.
GerhardArya
commented
4 years ago I kept getting this error:
--> Deploying template "lprojectname/jupyterhub-deployer" to project projectname JupyterHub Template for deploying a JupyterHub instance.
- With parameters:
- APPLICATION_NAME=jupyterhub
- JUPYTERHUB_IMAGE=jupyterhub:3.1.0
- NOTEBOOK_IMAGE=s2i-minimal-notebook:3.6
- JUPYTERHUB_CONFIG=
- DATABASE_PASSWORD=uQV3fTR2mbSyymfx # generated
- COOKIE_SECRET=0eea3742c8d70a44535a1d5273021c2c # generated
- JUPYTERHUB_MEMORY=512Mi
- DATABASE_MEMORY=512Mi
- NOTEBOOK_MEMORY=512Mi --> Creating resources ... configmap "jupyterhub-cfg" created serviceaccount "jupyterhub-hub" created error: rolebindings.authorization.openshift.io is forbidden: User "system:serviceaccount:projectname:lab" cannot create rolebindings.authorization.openshift.io in the namespace "projectname": no RBAC policy matched deploymentconfig.apps.openshift.io "jupyterhub" created service "jupyterhub" created route.route.openshift.io "jupyterhub" created persistentvolumeclaim "jupyterhub-db" created deploymentconfig.apps.openshift.io "jupyterhub-db" created service "jupyterhub-db" created --> Failed
Once parts relating to serviceaccount got removed, it deployed, but then I got this 500 error.
GrahamDumpleton
commented
4 years ago Whoever administers your OpenShift cluster has explicitly removed your ability to create role bindings. This means they are either quite paranoid, or perhaps don't have a complete understanding of how inheritance of rights works with role bindings.
You can confirm that the ability to create role bindings has been removed by running:
oc auth can-i create rolebindingsNormally any authenticated used would be able to create role bindings because it doesn't really present a risk. This is because even if you can create role bindings, you can't delegate role capabilities that you don't already have. So even if you created a role binding which tried to give a service account a role with elevated privileges, the service account wouldn't actually get them, because you yourself don't have them.
You need to take this up with whoever administers your OpenShift cluster. You cannot deploy JupyterHub without the capability of being able to bind to the service account it runs as, access to the OpenShift REST API endpoint. This is what the template is trying to do.
If the administrator of your cluster is not willing to give you the ability to create role bindings as any authenticated user would normally have, then they will need to deploy the JupyterHub instance for you.
GrahamDumpleton
commented
4 years ago Closing as no followup and believe is an issue with the permissions on the cluster.
Hello, I'm currently trying to get Jupyterhub to run on Openshift Container Platform. I have managed to follow your guide with some changes and get it to build and deploy.
The change that I made was removing the parts in the template's YAML related to service accounts in the templates because it kept conflicting with RBAC, causing errors that prevented it from deploying at all.
After it is deployed, when I go to the created route and try to use it the server starts, but then I get this error:
When I look at the logs from Openshift, it shows this:
I tried looking for similar issues but I couldn't find any. So I decided to ask you directly. What could possibly cause this issue and how could I solve it?
Any help would be appreciated. Thank you very much in advance!