Closed ndox closed 5 years ago
Then I've got :
[bastion namespace-configuration-operator]# oc logs -f namespace-configuration-operator-6ffc5f4d46-4jz9r
E0514 14:53:48.912786 1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.NamespaceConfig: namespaceconfigs.redhatcop.redhat.io is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaceconfigs.redhatcop.redhat.io in the namespace "namespace-configuration-operator": no RBAC policy matched
It seems that adding a namespace for the SA do the job in deploy/rolebinding.yaml :
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: namespace-configuration-operator
namespace: namespace-configuration-operator
subjects:
- kind: ServiceAccount
name: namespace-configuration-operator
namespace: namespace-configuration-operator
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
But I still have the error in the pod logs and labeling a new project with a tee-shirt size didn't works
@ndox you shouldn't have to modify the cluster role binding.
try with the following command:
oc apply -f deploy -n namespace-configuration-operator
can you also share the pod logs where you see the error?
@raffaelespazzoli : Maybe I'm doing something wrong.. Here what I'm doing :
I started a fresh new lab. But still have the first issue with your new command :
[root@bastion namespace-configuration-operator]# oc apply -f deploy -n namespace-configuration-operator
deployment.apps/namespace-configuration-operator created
role.rbac.authorization.k8s.io/namespace-configuration-operator created
rolebinding.rbac.authorization.k8s.io/namespace-configuration-operator created
serviceaccount/namespace-configuration-operator created
The ClusterRoleBinding "namespace-configuration-operator" is invalid: subjects[0].namespace: Required value
What I'm doing :
git clone https://github.com/redhat-cop/namespace-configuration-operator.git
oc apply -f deploy/crds/redhatcop_v1alpha1_namespaceconfig_crd.yaml
oc new-project namespace-configuration-operator
oc apply -f deploy -n namespace-configuration-operator
# change image to yours :
oc edit deployment/namespace-configuration-operator
image: quay.io/redhat-cop/namespace-configuration-operator:latest
oc logs namespace-configuration-operator-6ffc5f4d46-jk5rt | less
{"level":"info","ts":1557912760.229605,"logger":"cmd","msg":"Go Version: go1.11"}
{"level":"info","ts":1557912760.2301075,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":1557912760.2301164,"logger":"cmd","msg":"Version of operator-sdk: v0.7.0+git"}
{"level":"info","ts":1557912760.2303276,"logger":"leader","msg":"Trying to become the leader."}
{"level":"info","ts":1557912760.2952354,"logger":"leader","msg":"No pre-existing lock was found."}
{"level":"info","ts":1557912760.2999184,"logger":"leader","msg":"Became the leader."}
{"level":"info","ts":1557912760.33724,"logger":"cmd","msg":"Registering Components."}
{"level":"info","ts":1557912760.3379586,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557912760.3381546,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557912760.3837676,"logger":"cmd","msg":"failed to create or get service for metrics: services \"namespace-configuration-operator\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>"}
{"level":"info","ts":1557912760.3837993,"logger":"cmd","msg":"Starting the Cmd."}
E0515 09:32:40.385842 1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaces at the cluster scope: no RBAC policy matched
# If trying to modify role_binding et delete the pod, I get the same error message for the pod :
# hack the role_binding.yaml file as said previously (adding namespace to avoid the error) :
oc apply -f deploy/role_binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/namespace-configuration-operator created
rolebinding.rbac.authorization.k8s.io/namespace-configuration-operator unchanged
oc delete pod namespace-configuration-operator-6ffc5f4d46-jk5rt
oc logs namespace-configuration-operator-6ffc5f4d46-wjr8l | less
{"level":"info","ts":1557913277.5107226,"logger":"cmd","msg":"Go Version: go1.11"}
{"level":"info","ts":1557913277.5107718,"logger":"cmd","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":1557913277.5107834,"logger":"cmd","msg":"Version of operator-sdk: v0.7.0+git"}
{"level":"info","ts":1557913277.5109851,"logger":"leader","msg":"Trying to become the leader."}
{"level":"info","ts":1557913277.573164,"logger":"leader","msg":"No pre-existing lock was found."}
{"level":"info","ts":1557913277.5762987,"logger":"leader","msg":"Became the leader."}
{"level":"info","ts":1557913277.6118069,"logger":"cmd","msg":"Registering Components."}
{"level":"info","ts":1557913277.6123421,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557913277.6129034,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"namespaceconfig-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1557913277.657814,"logger":"cmd","msg":"failed to create or get service for metrics: services \"namespace-configuration-operator\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>"}
{"level":"info","ts":1557913277.6578422,"logger":"cmd","msg":"Starting the Cmd."}
E0515 09:41:17.659914 1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.NamespaceConfig: namespaceconfigs.redhatcop.redhat.io is forbidden: User "system:serviceaccount:namespace-configuration-operator:namespace-configuration-operator" cannot list namespaceconfigs.redhatcop.redhat.io in the namespace "namespace-configuration-operator": no RBAC policy matched
@ndox https://github.com/redhat-cop/namespace-configuration-operator/pull/6 should fix the issue. while the PR is being merged, here is what you need:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: namespace-configuration-operator
subjects:
- kind: ServiceAccount
name: namespace-configuration-operator
namespace: namespace-configuration-operator
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
@raffaelespazzoli : I confirm it works well now. Many thanks for your help !
Might be a little clusterrolebinding missing field issue but I didn't quickly found the fix..
openshift v3.11.43 kubernetes v1.11.0+d4cacc0