[
https://issues.jboss.org/browse/ISPN-8401?page=com.atlassian.jira.plugin....
]
Sebastian Łaskawiec commented on ISPN-8401:
-------------------------------------------
On [OpenShift Online
Staging|https://console.free-stg.openshift.com/console] environment
creating {{RoleBinding}} is prohibited.
{code}
make test-ephemeral
oc process infinispan-ephemeral | oc create -f -
serviceaccount "infinispan-app" created
secret "infinispan-app" created
service "infinispan-app-http" created
service "infinispan-app-hotrod" created
service "infinispan-app-management" created
configmap "infinispan-app-configuration" created
route "infinispan-app-management" created
deploymentconfig "infinispan-app" created
Error from server (Forbidden): rolebindings "infinispan-app-view" is forbidden:
rolebindings to ServiceAccount "infinispan-app" are not allowed in project
"slaskawi"
make: *** [Makefile:47: test-ephemeral] Error 1
{code}
An interesting thing is that I can create it by hand:
{code}
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):my-new-sa -n $(oc
project -q)
{code}
Investigate if we can create ServiceAccount and Role Binding in
OpenShift Online
--------------------------------------------------------------------------------
Key: ISPN-8401
URL:
https://issues.jboss.org/browse/ISPN-8401
Project: Infinispan
Issue Type: Task
Components: Cloud Integrations
Reporter: Sebastian Łaskawiec
Assignee: Sebastian Łaskawiec
The {{KUBE_PING}} JGroups protocol (the one that performs discovery) queries Kubernetes
API to obtain a list of {{Pods}}. This in turn requires {{view}} permissions (see [Service
Accounts on OpenShift User
Guide|https://docs.openshift.com/container-platform/3.6/dev_guide/service...])
and a binding object (it's called {{RoleBinding}} and it provides mapping between
{{ServiceAccout}} that is used by the {{Pod}} and {{view}} permissions).
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)