<div dir="ltr"><div><div>In case this helps Charles, a temporary work around would be to: oc edit clusterrole asb-auth<br></div><br>and add:<br><br>  - apiGroups: ["<a href="http://network.openshift.io">network.openshift.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["clusternetworks", "netnamespaces"]<br>    verbs: ["get"]<br>  - apiGroups: ["<a href="http://network.openshift.io">network.openshift.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["netnamespaces"]<br>    verbs: ["update"]<br>  - apiGroups: ["<a href="http://networking.k8s.io">networking.k8s.io</a>", ""]<br>    attributeRestrictions: null<br>    resources: ["networkpolicies"]<br>    verbs: ["create", "delete"]<br><br><br></div><div>Thanks,<br></div>- Ryan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <span dir="ltr"><<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We have redeployed using openshift-ansible playbook ASB using image v3.,7 and networkpolicies issue is still there<div><div class="h5"><div class="gmail_extra"><div><div class="m_-1126900832318680940gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px"><div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Mar 1, 2018 at 4:19 PM, David Zager <span dir="ltr"><<a href="mailto:dzager@redhat.com" target="_blank">dzager@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Greetings Charles,<div><br></div><div>The image in question, <a href="https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/" target="_blank">docker.io/ansibleplaybookbundl<wbr>e/origin-ansible-service-<wbr>broker:v3.7</a> has been updated to be built using the code from the <a href="https://github.com/openshift/ansible-service-broker/tree/release-1.0" target="_blank">release-1.0</a> branch of the broker project. Apologies for the trouble and thank you for helping us find the root cause.</div><div><br></div><div><a href="https://github.com/openshift/ansible-service-broker/pull/803" target="_blank">https://github.com/openshift/a<wbr>nsible-service-broker/pull/803</a><wbr> should prevent this from happening in the future.<br></div><div><br></div><div>Respectfully,<br>David Zager</div><div><div class="m_-1126900832318680940h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <<a href="mailto:shurley@redhat.com" target="_blank">shurley@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello Charles,<div><br></div><div>It appears that we have had a little mix up on the versions that we tagged. You are currently getting the canary version of the broker. </div><div>We are working on rebuilding and re-tagging the correct images and will keep everyone informed with this email thread. Sorry about the mix up.</div><div><br></div><div>Thanks,</div><div><br></div><div>Shawn Hurley</div></div><div style="word-wrap:break-word;line-break:after-white-space"><div><div><br><blockquote type="cite"><div>On Mar 1, 2018, at 12:40 AM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:</div><br class="m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098Apple-interchange-newline"><div><div dir="ltr">I confirm that version 3.7 has been installed<div><br></div><div><a href="https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%202018-03-01%2006.39.40.png?dl=0" target="_blank">https://www.dropbox.com/s/h7m7<wbr>2h23k7myjyw/Screenshot%202018-<wbr>03-01%2006.39.40.png?dl=0</a><br></div><div class="gmail_extra"><div><div class="m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:overpass,sans-serif;font-size:10px"><div style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><br></div><div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <span dir="ltr"><<a href="mailto:ernelson@redhat.com" target="_blank">ernelson@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Charles, you guys are deploying upstream origin with<br>
openshift-ansible? We discovered today thanks to your report that the<br>
upstream openshift-ansible code was configured to default to "latest"<br>
broker images, which is our 3.9 image. I will see if I can reproduce<br>
your issue as well.<br>
<br>
+1 to shurley's comment, we have to confirm what version of the image<br>
you are running, via tag.<br>
<div class="m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098HOEnZb"><div class="m_-1126900832318680940m_-6534722783986833145m_6098939470900032556m_479842504126028098h5"><br>
On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <<a href="mailto:shurley@redhat.com" target="_blank">shurley@redhat.com</a>> wrote:<br>
> Hi Charles,<br>
><br>
> v3.7 should not be attempting to anything with network policies, can you<br>
> please double check the deployment config and tell us the version of the<br>
> image that is being deployed. If it is 3.7 then we have another issue that<br>
> we will need to solve.<br>
><br>
> ansible_service_broker_image_t<wbr>ag should override the tag value, if that is<br>
> not working then we will need to do a deeper dive on the openshift-ansible<br>
> code.<br>
><br>
> If you would like to just “work around” this then you could add a cluster<br>
> role binding and role to grant access to the asb service account to<br>
> manipulate the network policies.<br>
><br>
> Regards,<br>
><br>
> Shawn Hurley<br>
><br>
> On Feb 28, 2018, at 3:44 PM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> There is still an issue with the ansible playbook installing ASB on<br>
> openshift 3.7<br>
> When the inventory is configured using these parameters<br>
><br>
> git clone -b release-3.7 <a href="mailto:git@github.com" target="_blank">git@github.com</a>:openshift/opens<wbr>hift-ansible.git<br>
><br>
> openshift_enable_service_catal<wbr>og=true<br>
> ansible_service_broker_registr<wbr>y_whitelist=['.*-apb$']<br>
> ansible_service_broker_image_t<wbr>ag=v3.7<br>
><br>
> then, the following error is reported within the APB pod during<br>
> serviceinstance creation<br>
><br>
> [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding<br>
> apb-49d8c2a2-6d12-474c-87a2-a2<wbr>20bda6ba0d<br>
> [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network policy object<br>
> - User "system:serviceaccount:openshi<wbr>ft-ansible-service-broker:asb" cannot<br>
> create <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.k8s<wbr>.io</a> in the namespace "project31": User<br>
> "system:serviceaccount:openshi<wbr>ft-ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.k8s<wbr>.io</a> in project "project31" (post<br>
> <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.k8s<wbr>.io</a>)<br>
>  project "project31" (post <a href="http://networkpolicies.networking.k8s.io/" rel="noreferrer" target="_blank">networkpolicies.networking.k8s<wbr>.io</a>)<br>
><br>
> As you can see, the clusterrole of asb-auth is still missing the following<br>
> info<br>
> <a href="https://goo.gl/HfJnj8" rel="noreferrer" target="_blank">https://goo.gl/HfJnj8</a><br>
><br>
> Can somebody fix the error please for ansible openshift 3.7 ?<br>
><br>
> Regards<br>
><br>
> Charles<br>
> ______________________________<wbr>_________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/ansible-service-<wbr>broker</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/ansible-service-<wbr>broker</a><br>
><br>
</div></div></blockquote></div><br></div></div>
</div></blockquote></div><br></div></div>______________________________<wbr>_________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.<wbr>com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/ansible-service-<wbr>broker</a><br>
</blockquote></div></div></div></div>
</blockquote></div><br></div></div></div></div>
<br>______________________________<wbr>_________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com">Ansible-service-broker@redhat.<wbr>com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
<br></blockquote></div><br></div>