[infinispan-issues] [JBoss JIRA] (ISPN-8401) Investigate if we can create ServiceAccount and Role Binding in OpenShift Online

Sebastian Łaskawiec (JIRA) issues at jboss.org
Mon Oct 30 03:44:00 EDT 2017 

    [ https://issues.jboss.org/browse/ISPN-8401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13483202#comment-13483202 ] 

Sebastian Łaskawiec commented on ISPN-8401:
-------------------------------------------

On [OpenShift Online Staging|https://console.free-stg.openshift.com/console] environment creating {{RoleBinding}} is prohibited.

{code}
make test-ephemeral 
oc process infinispan-ephemeral | oc create -f -
serviceaccount "infinispan-app" created
secret "infinispan-app" created
service "infinispan-app-http" created
service "infinispan-app-hotrod" created
service "infinispan-app-management" created
configmap "infinispan-app-configuration" created
route "infinispan-app-management" created
deploymentconfig "infinispan-app" created
Error from server (Forbidden): rolebindings "infinispan-app-view" is forbidden: rolebindings to ServiceAccount "infinispan-app" are not allowed in project "slaskawi"
make: *** [Makefile:47: test-ephemeral] Error 1
{code}

An interesting thing is that I can create it by hand:
{code}
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):my-new-sa -n $(oc project -q)
{code}

> Investigate if we can create ServiceAccount and Role Binding in OpenShift Online
> --------------------------------------------------------------------------------
>
>                 Key: ISPN-8401
>                 URL: https://issues.jboss.org/browse/ISPN-8401
>             Project: Infinispan
>          Issue Type: Task
>          Components: Cloud Integrations
>            Reporter: Sebastian Łaskawiec
>            Assignee: Sebastian Łaskawiec
>
> The {{KUBE_PING}} JGroups protocol (the one that performs discovery) queries Kubernetes API to obtain a list of {{Pods}}. This in turn requires {{view}} permissions (see [Service Accounts on OpenShift User Guide|https://docs.openshift.com/container-platform/3.6/dev_guide/service_accounts.html#dev-sa-user-names-and-groups]) and a binding object (it's called {{RoleBinding}} and it provides mapping between {{ServiceAccout}} that is used by the {{Pod}} and {{view}} permissions).



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the infinispan-issues mailing list