Closed jupierce closed 7 years ago
that would imply the pod is running using the default service account, no?
@bparees That's my understanding.
Looking at kubernetes_plugin.go, the template it instantiates doesn't even setup a "jenkins" service account. The test setup then incorrectly gives additional permissions to the "jenkins" account instead of "default". It seems to follow then that the test has not been running prior to Oct 29th or something has changed about the default SA permissions.
As for issue (1), the template it (should have) used specifies the "jenkins" service account unless it took this code path which should generally only execute on a development system: https://github.com/openshift/origin/blob/master/test/extended/image_ecosystem/plugin.go#L421
Several threads to follow -- continuing to investigate.
check with @liggitt or @deads2k about what might have changed in the default service account permissions.
nothing has changed in the default service account permissions that I'm aware of
In other words, these observations are independent. Closing the issue since the causes must be addressed in origin. Thanks @bparees @liggitt .
See for followup:
Still trying to figure out what changed here, but several origin extended test failures have induced me to track this problem. When running within OpenShift, the Jenkins plugin is attempting to access APIServer resources using the "default" service account instead of the "jenkins" service account.
@gabemontero @oatmealraisin @csrwng
Errors:
https://ci.openshift.redhat.com/jenkins/job/origin_extended_image_tests/731/consoleFull