[Ansible-service-broker] Issue with playbook of ansible service broker - missing networkpolicies

Ryan Hallisey rhallise at redhat.com
Fri Mar 2 14:12:05 UTC 2018 

In case this helps Charles, a temporary work around would be to: oc edit
clusterrole asb-auth

and add:

  - apiGroups: ["network.openshift.io", ""]
    attributeRestrictions: null
    resources: ["clusternetworks", "netnamespaces"]
    verbs: ["get"]
  - apiGroups: ["network.openshift.io", ""]
    attributeRestrictions: null
    resources: ["netnamespaces"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io", ""]
    attributeRestrictions: null
    resources: ["networkpolicies"]
    verbs: ["create", "delete"]


Thanks,
- Ryan

On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <cmoullia at redhat.com>
wrote:

> We have redeployed using openshift-ansible playbook ASB using image v3.,7
> and networkpolicies issue is still there
>
> On Thu, Mar 1, 2018 at 4:19 PM, David Zager <dzager at redhat.com> wrote:
>
>> Greetings Charles,
>>
>> The image in question, docker.io/ansibleplaybookbundl
>> e/origin-ansible-service-broker:v3.7
>> <https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/>
>> has been updated to be built using the code from the release-1.0
>> <https://github.com/openshift/ansible-service-broker/tree/release-1.0> branch
>> of the broker project. Apologies for the trouble and thank you for helping
>> us find the root cause.
>>
>> https://github.com/openshift/ansible-service-broker/pull/803 should
>> prevent this from happening in the future.
>>
>> Respectfully,
>> David Zager
>>
>> On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <shurley at redhat.com> wrote:
>>
>>> Hello Charles,
>>>
>>> It appears that we have had a little mix up on the versions that we
>>> tagged. You are currently getting the canary version of the broker.
>>> We are working on rebuilding and re-tagging the correct images and will
>>> keep everyone informed with this email thread. Sorry about the mix up.
>>>
>>> Thanks,
>>>
>>> Shawn Hurley
>>>
>>> On Mar 1, 2018, at 12:40 AM, Charles Moulliard <cmoullia at redhat.com>
>>> wrote:
>>>
>>> I confirm that version 3.7 has been installed
>>>
>>> https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%202018-
>>> 03-01%2006.39.40.png?dl=0
>>>
>>>
>>> On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <ernelson at redhat.com>
>>> wrote:
>>>
>>>> Charles, you guys are deploying upstream origin with
>>>> openshift-ansible? We discovered today thanks to your report that the
>>>> upstream openshift-ansible code was configured to default to "latest"
>>>> broker images, which is our 3.9 image. I will see if I can reproduce
>>>> your issue as well.
>>>>
>>>> +1 to shurley's comment, we have to confirm what version of the image
>>>> you are running, via tag.
>>>>
>>>> On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <shurley at redhat.com>
>>>> wrote:
>>>> > Hi Charles,
>>>> >
>>>> > v3.7 should not be attempting to anything with network policies, can
>>>> you
>>>> > please double check the deployment config and tell us the version of
>>>> the
>>>> > image that is being deployed. If it is 3.7 then we have another issue
>>>> that
>>>> > we will need to solve.
>>>> >
>>>> > ansible_service_broker_image_tag should override the tag value, if
>>>> that is
>>>> > not working then we will need to do a deeper dive on the
>>>> openshift-ansible
>>>> > code.
>>>> >
>>>> > If you would like to just “work around” this then you could add a
>>>> cluster
>>>> > role binding and role to grant access to the asb service account to
>>>> > manipulate the network policies.
>>>> >
>>>> > Regards,
>>>> >
>>>> > Shawn Hurley
>>>> >
>>>> > On Feb 28, 2018, at 3:44 PM, Charles Moulliard <cmoullia at redhat.com>
>>>> wrote:
>>>> >
>>>> > Hi,
>>>> >
>>>> > There is still an issue with the ansible playbook installing ASB on
>>>> > openshift 3.7
>>>> > When the inventory is configured using these parameters
>>>> >
>>>> > git clone -b release-3.7 git at github.com:openshift/opens
>>>> hift-ansible.git
>>>> >
>>>> > openshift_enable_service_catalog=true
>>>> > ansible_service_broker_registry_whitelist=['.*-apb$']
>>>> > ansible_service_broker_image_tag=v3.7
>>>> >
>>>> > then, the following error is reported within the APB pod during
>>>> > serviceinstance creation
>>>> >
>>>> > [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding
>>>> > apb-49d8c2a2-6d12-474c-87a2-a220bda6ba0d
>>>> > [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network policy
>>>> object
>>>> > - User "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>> cannot
>>>> > create networkpolicies.networking.k8s.io in the namespace
>>>> "project31": User
>>>> > "system:serviceaccount:openshift-ansible-service-broker:asb" cannot
>>>> create
>>>> > networkpolicies.networking.k8s.io in project "project31" (post
>>>> > networkpolicies.networking.k8s.io)
>>>> >  project "project31" (post networkpolicies.networking.k8s.io)
>>>> >
>>>> > As you can see, the clusterrole of asb-auth is still missing the
>>>> following
>>>> > info
>>>> > https://goo.gl/HfJnj8
>>>> >
>>>> > Can somebody fix the error please for ansible openshift 3.7 ?
>>>> >
>>>> > Regards
>>>> >
>>>> > Charles
>>>> > _______________________________________________
>>>> > Ansible-service-broker mailing list
>>>> > Ansible-service-broker at redhat.com
>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Ansible-service-broker mailing list
>>>> > Ansible-service-broker at redhat.com
>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>> >
>>>>
>>>
>>>
>>> _______________________________________________
>>> Ansible-service-broker mailing list
>>> Ansible-service-broker at redhat.com
>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>
>>
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180302/d7f49e80/attachment.htm>

More information about the Ansible-service-broker mailing list