search

quay / quay-bridge-operator

Utilization of Red Hat Quay as the default image registry for an OpenShift Container Platform environment
Apache License 2.0
20 stars 23 forks source link

RBAC error: Failed to list *v1.Build: builds.build.openshift.io on OCP 3.11 #1

Open saikirandusari opened 4 years ago

saikirandusari commented 4 years ago

I'm getting RBAC error inside the quay operator when running on 3.11

$ oc version
Client Version: v3.11.98
Server Version: v3.11.153
kubernetes v1.11.0+d4cacc0

Here is the deployment config

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: '2'
  creationTimestamp: '2019-07-02T23:44:59Z'
  generation: 8
  labels:
    name: quay-openshift-registry-operator
  name: quay-openshift-registry-operator
  namespace: quay-integration
  resourceVersion: '305368901'
  selfLink: >-
    /apis/apps/v1/namespaces/quay-integration/deployments/quay-openshift-registry-operator
  uid: 6780777d-9d23-11e9-95b1-001a4a408efd
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      name: quay-openshift-registry-operator
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        name: quay-openshift-registry-operator
    spec:
      containers:
        - command:
            - quay-openshift-registry-operator
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: quay-openshift-registry-operator
          image: 'quay.io/redhat-cop/quay-openshift-registry-operator:latest'
          imagePullPolicy: Always
          name: quay-openshift-registry-operator
          ports:
            - containerPort: 8443
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /etc/webhook/certs
              name: certs
              readOnly: true
      dnsPolicy: ClusterFirst
      imagePullSecrets:
        - name: redhat-pull-secret
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: quay-openshift-registry-operator
      serviceAccountName: quay-openshift-registry-operator
      terminationGracePeriodSeconds: 30
      volumes:
        - name: certs
          secret:
            defaultMode: 420
            secretName: webhook-secret
status:
  availableReplicas: 1
  conditions:
    - lastTransitionTime: '2019-11-15T04:19:47Z'
      lastUpdateTime: '2019-11-15T04:19:47Z'
      message: Deployment has minimum availability.
      reason: MinimumReplicasAvailable
      status: 'True'
      type: Available
    - lastTransitionTime: '2019-07-02T23:44:59Z'
      lastUpdateTime: '2019-11-15T04:28:02Z'
      message: >-
        ReplicaSet "quay-openshift-registry-operator-7b7664fdd4" has
        successfully progressed.
      reason: NewReplicaSetAvailable
      status: 'True'
      type: Progressing
  observedGeneration: 8
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

Error logs from Operator Pod

8s.io/client-go@v0.0.0-20181213151034-8d9ed539ba31/tools/cache/reflector.go:95: Failed to list *v1.Build: builds.build.openshift.io is forbidden: User "system:serviceaccount:quay-integration:quay-openshift-registry-operator" cannot list builds.build.openshift.io at the cluster scope: no RBAC policy matched
--
  | E1115 04:29:05.515616       1 reflector.go:134] pkg/mod/k8s.io/client-go@v0.0.0-20181213151034-8d9ed539ba31/tools/cache/reflector.go:95: Failed to list *v1.Build: builds.build.openshift.io is forbidden: User "system:serviceaccount:quay-integration:quay-openshift-registry-operator" cannot list builds.build.openshift.io at the cluster scope: no RBAC policy matched
  | E1115 04:29:06.518043       1 reflector.go:134] pkg/mod/k8s.io/client-go@v0.0.0-20181213151034-8d9ed539ba31/tools/cache/reflector.go:95: Failed to list *v1.Build: builds.build.openshift.io is forbidden: User "system:serviceaccount:quay-integration:quay-openshift-registry-operator" cannot list builds.build.openshift.io at the cluster scope: no RBAC policy matched
  | E1115 04:29:07.520485       1 reflector.go:134] pkg/mod/k8s.io/client-go@v0.0.0-20181213151034-8d9ed539ba31/tools/cache/reflector.go:95: Failed to list *v1.Build: builds.build.openshift.io is forbidden: User "system:serviceaccount:quay-integration:quay-openshift-registry-operator" cannot list builds.build.openshift.io at the cluster scope: no RBAC policy matched
  | E1115 04:29:08.522799       1 reflector.go:134] pkg/mod/k8s.io/client-go@v0.0.0-20181213151034-8d9ed539ba31/tools/cache/reflector.go:95: Failed to list *v1.Build: builds.build.openshift.io is forbidden: User "system:serviceaccount:quay-integration:quay-openshift-registry-operator" cannot list builds.build.openshift.io at the cluster scope: no RBAC policy matched
saikirandusari commented 4 years ago

@sabre1041 Can you please guide/help me to resolve this issue?

Added below section to the clusterrole.yaml resolved the above error but now encountered with another issue

- apiGroups:
  - ""
  - build.openshift.io
  resources:
  - builds
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch

Error logs


{"level":"info","ts":1574124200.0212595,"logger":"quay-openshift-registry-operator","msg":"Reconciling Namespace","Name":"bnz-mule414-helloworld-v3"}
--
  | {"level":"error","ts":1574124200.0212698,"logger":"quay-openshift-registry-operator","msg":"No QuayIntegrations defined or more than 1 integration present","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128\ngithub.com/redhat-cop/quay-openshift-registry-operator/pkg/core.(*CoreComponents).ManageError\n\t/home/travis/gopath/src/github.com/redhat-cop/quay-openshift-registry-operator/pkg/core/core.go:59\ngithub.com/redhat-cop/quay-openshift-registry-operator/pkg/controller/namespace.(*ReconcileNamespace).Reconcile\n\t/home/travis/gopath/src/github.com/redhat-cop/quay-openshift-registry-operator/pkg/controller/namespace/namespace_controller.go:156\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/travis/gopath/pkg/mod/sigs.k8s.io/controller-runtime@v0.1.10/pkg/internal/controller/controller.go:215\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1\n\t/home/travis/gopath/pkg/mod/sigs.k8s.io/controller-runtime@v0.1.10/pkg/internal/controller/controller.go:158\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/home/travis/gopath/pkg/mod/k8s.io/apimachinery@v0.0.0-20181127025237-2b1284ed4c93/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/home/travis/gopath/pkg/mod/k8s.io/apimachinery@v0.0.0-20181127025237-2b1284ed4c93/pkg/util/wait/wait.go:134\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/home/travis/gopath/pkg/mod/k8s.io/apimachinery@v0.0.0-20181127025237-2b1284ed4c93/pkg/util/wait/wait.go:88"}
 ```