Error Loading OpenShift command line terminal: User is not a owner of the requested workspace

[jdandrea]

Describe the bug

Can't open an OpenShift Command Line Terminal as of a fresh install a few days ago.

Expected Behavior

Should be presented with the command line terminal.

Current Behavior

Error displayed in red: "Error Loading OpenShift command line terminal: User is not a owner of the requested workspace"

Steps to Reproduce

1. Login to a newly deployed OCP 4.15 cluster (3 control plane, 2 worker nodes) as kubeadmin, default project
2. Install Web Terminal operator with all default settings
3. Start a Web Terminal session, eventually see error; try again, same error
4. Follow documented manual steps to uninstall, repeat steps above, same error

Environment

Cloud:

• [ ] AWS
• [ ] Azure
• [ ] GCP
• [X] UPI VM on Bare Metal

OpenShift Version: 4.15

What's odd is this has worked before, and I'm fairly sure it worked on 4.15. Will try again on 4.14 just to be sure.

[AObuchow]

@jdandrea Thank you for reporting this issue, I experienced it the other day but didn't have a chance yet to report it.

From what it seems, this bug occurs specifically when logged into a cluster as kubeadmin, and I think it only occurs on OpenShift >= 4.15. My assumption is that some changes were made to kubeadmin's ownership of the openshift-terminal namespace.

Opening web terminals as a non-root user on OpenShift should still work, however.

I will look into this further as this bug needs to be resolved.

[jdandrea]

That`s good news @AObuchow, thank you!

I will drop back to 4.14 as I need to be kubeadmin for this particular thing I'm doing. Meanwhile, if I can help reality-check anything on my end, please let me know. Happy to help where I can.

[AObuchow]

Sounds good @jdandrea thank you!!

[AObuchow]

@jdandrea just to confirm: you aren't experiencing this bug on OpenShift 4.14 correct?

Edit: Just verified it myself and this bug doesn't occur on OpenShift 4.14

[jdandrea]

Correct, it's all good on 4.14!

[AObuchow]

I believe I found the source of this bug:

Prior to OCP 4.15, the OpenShift console expected the devworkspace's controller.devfile.io/creator label to be set to an empty string when logged in to the cluster as kubeadmin due to https://github.com/openshift/origin/issues/24950 (related Che issue). In essence, the kubeadmin user does not have a uid, and thus DevWorkspace-Operator sets the controller.devfile.io/creator label to an empty string.

However, due to a recent change made to the OpenShift Console for 4.15, the OpenShift console is now expecting the controller.devfile.io/creator label to be set to kubeadmin username, instead of its (empty string) uid, resulting in this bug.

To fix this issue we could either:

• Revert the breaking change in the OpenShift console
• Make a change in DWO to set the controller.devfile.io/creator label to kubeadmin's username, to match the behaviour the OpenShift console is expect.

I'm inclined to go with the later solution, as we will be releasing DWO 0.27 in the coming weeks. CC: @ibuziuk

[jdandrea]

Thank you so much for finding the root cause, @AObuchow. Even without knowing more about the internals, that DWO change sounds good to me too.

[AObuchow]

Upon further discussion with @ibuziuk, the OpenShift console should ideally revert the change that broke WTO as kubeadmin. Changing DWO's behaviour specifically for kubeadmin, to accommodate an unnecessary change to the OpenShift console is not ideal. Additionally, explicitly indicating in plain-text that kubeadmin (i.e. root) owns a specific devworkspace object is not ideal.

[jdandrea]

I had not considered (or known of) those points. Thank you for noting them here.

[Lucifergene]

Hey! Is there any update on this? We are not able to use the terminal at all for related bugs. Please keep this in highest priority. Last tested on: 4.16.0-0.nightly-2024-05-19-083311

[AObuchow]

Hey! Is there any update on this?

@Lucifergene Yes, I apologize for the delay in getting this resolved. We are working towards an agreed upon solution that will be implemented in the OpenShift Console (see here and here) and the DevWorkspace Operator (see here). Those 3 issues are blocking the resolution of this bug.

We are not able to use the terminal at all for related bugs.

Do you mind clarifying here? Are you in a situation where only kubeadmin can be used? Or is this affecting other users?

Please keep this in highest priority.

Will do, this is actively being worked on. My current estimate is that this will be fixed in DevWorkspace Operator 0.29 as DevWorkspace Operator 0.28 is targeted for release later this week.

Last tested on: 4.16.0-0.nightly-2024-05-19-083311

Thank you for testing!

[cmays20]

Is there are workaround for this on 4.15?

[AObuchow]

Is there are workaround for this on 4.15?

@cmays20 No, unfortunately :( I've tried looking into workarounds but it seems code changes are required to the DevWorkspace Operator and OpenShift Console.

[AObuchow]

The breaking change that caused this issue has now been reverted in OpenShift 4.17: https://github.com/openshift/console/pull/13719

The 4.16 backport is in progress has now been merged: https://github.com/openshift/console/pull/14027

The 4.15 backport is in progress: https://github.com/openshift/console/pull/14114

This issue will soon be resolved.

[AObuchow]

The final backport required to resolve this issue was merged to OCP 4.15. This issue should now finally be resolved \o/ @jhadvig Thank you for all the help on the openshift console side :)

[aroute]

I'm encountering this problem on 4.15.28. Which minor version of 4.15 has this fix?

[AObuchow]

@aroute It seems the 4.15 backport appears in OpenShift 4.15.0-0.nightly-2024-09-13-090332. I'm not entirely sure if a version that includes the fix is already able to be pulled/updated on your cluster yet.