Closed coolbrg closed 6 years ago
@budhrg How much time given between the apply command and remove command. Not sure if you had enabled it.
How much time given between the apply command and remove command. Not sure if you had enabled it.
10mins and tried with a little time gap in apply and remove.
Any update here @garagatyi, @l0rd @sunix ?
@budhrg, @LalatenduMohanty I have looked on this and found the oc command has problem listing roles:
[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift
Error from server (Forbidden): rolebindings.authorization.openshift.io is forbidden: User "developer" cannot list rolebindings.authorization.openshift.io in the namespace "openshift": User "developer" cannot list rolebindings.authorization.openshift.io in project "openshift"
So I have added --as system:admin
to see how that goes, but even that command failed:
[agajdosi@dhcp-24-156 minishift]$ oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin
error: unable to find target [developer]
Seems that user developer
does not have that role assigned in namespace openshift
, thus it cannot be removed. This is negative also from oc get rolebindings
:
[agajdosi@dhcp-24-156 minishift]$ oc get rolebindings --as system:admin
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
shared-resource-viewers openshift/shared-resource-viewer system:authenticated
system:deployers /system:deployer deployer
system:image-builders /system:image-builder builder
system:image-pullers /system:image-puller system:serviceaccounts:openshift
Also since https://github.com/minishift/minishift-addons/commit/d13aaa66980127531f6f5fc915ec3a0b6302dec2 when the oc adm policy remove-role-from-user system:image-builder developer -n openshift
command in remove was introduced I do not see any oc adm policy add-role-to-user
which is done in openshift
namespace.
The only role adding command in Che addon is done in mini-che
namespace:
oc adm policy add-role-to-user admin developer -n #{NAMESPACE}
When I add the developer
user to the role before addon removal, the removal goes well.
I thus believe the command oc adm policy remove-role-from-user system:image-builder developer -n openshift --as system:admin
is extra here and could be removed. @garagatyi, @l0rd @sunix could you please confirm or give me a hint what I am missing? Would like to fix the issue.
EDIT: command might be needed for another version of Che, going to try. EDIT2: situation for Che 5 is the same, looks like no need for removal of role.
123 should fix this issue
Hoping @l0rd :crossed_fingers:
We are getting following error in removing che addon:
Not sure what happened in recent time, but it was working fine before.
Also, it would be great if we have che integration test https://github.com/minishift/minishift-addons/issues/104. Then we can easily catch these sort of issue in nightly job https://ci.centos.org/job/minishift-addons-nightly-b2d
See https://issues.jboss.org/browse/CDK-287
/cc @garagatyi, @l0rd @sunix