<div dir="ltr">Mo, <div><br></div><div>Do you have any thoughts on the issue Ryan mentions below on being unable to create a rolebinding that is cluster-admin?</div><div>For background, this is for enabling the Broker to deploy APBs that will modify cluster infrastructure...not a typical application/service but special APBs that require extra privileges.</div><div><br></div><div><br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey <span dir="ltr"><<a href="mailto:rhallise@redhat.com" target="_blank">rhallise@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Karim,<br>
<br>
I think I have a workaround patch that will get provision working for<br>
the kubevirt-apb.  Instructions for how to test it are in the commit<br>
message.<br>
<br>
<a href="https://github.com/rthallisey/ansible-service-broker/commit/f27e0538959c43d47d2ff80bba1e894f2249ad62" rel="noreferrer" target="_blank">https://github.com/rthallisey/<wbr>ansible-service-broker/commit/<wbr>f27e0538959c43d47d2ff80bba1e89<wbr>4f2249ad62</a><br>
<br>
To summarize for folks what I think is happening. We need the apb to<br>
have the cluster-admin role so it can create cluster-roles.  To do<br>
this, set sandbox_role: cluster-admin, auto_escalate: true, and make<br>
the asb user cluster-admin.  Then when you provision, you'll hit this<br>
issue: <a href="https://github.com/openshift/ansible-service-broker/issues/711" rel="noreferrer" target="_blank">https://github.com/openshift/<wbr>ansible-service-broker/issues/<wbr>711</a>.<br>
The rolebinding fails to create with the error:<br>
  <a href="http://rolebindings.rbac.authorization.k8s.io" rel="noreferrer" target="_blank">rolebindings.rbac.<wbr>authorization.k8s.io</a><br>
"apb-9c21c424-7091-4bc1-b5c5-<wbr>0caa08aeec39" is forbidden: attempt to<br>
grant extra privileges.<br>
It seems that we can't create a rolebinding that is cluster-admin.<br>
I'm still exploring for the reason why it fails, but my theory is that<br>
the cluster-admin role gives access outside the scope of a role so it<br>
requires a clusterrolebinding. With the clusterrolebinding created<br>
with cluster-admin permissions, I was able to create cluster-resources<br>
from the apb.<br>
<br>
Thanks,<br>
-Ryan<br>
<br>
______________________________<wbr>_________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com">Ansible-service-broker@redhat.<wbr>com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
</blockquote></div><br></div></div></div>