| Pavel Sturc After chatting with Craig Brookes about this, here's a few things to help find an answer for this jira:
- It looks like the APB provision pod is being run with a serviceaccount that does not have the 'admin' role. This is causing the errors in those logs.
- I believe the reason we need that role is so the oauth_proxy serviceaccount can be given the permissions to do RBAC requests for doing role checking in the proxy
- How did you provision/setup the broker? If it was with our playbooks, I would have thought the broker config (ConfigMap) with the correct 'sandbox_role' (i.e. 'admin') would be used. But that doesn't seem to be the case for you
- Craig Brookes is going to follow up with the broker team on this (tomorrow during an irc standup on #asbroker in think), more specifically why a default config of 'sandbox_role:admin' and 'auto_escalate:false' wouldn't be sufficient for all openshift environments, as that would suit us
More info about sandbox_role and auto_escalate here https://github.com/openshift/ansible-service-broker/blob/e35e30107ee309710b1669b43df957ac0f49ce06/docs/administration.md#L19
and here https://github.com/openshift/ansible-service-broker/blob/e35e30107ee309710b1669b43df957ac0f49ce06/docs/proposals/user-impersonation-proposal.md#L11 |
