<div dir="ltr">It appears that the "latest" automation-broker-apb image is using a 3.10 broker image. That would cause the scenario you mention:<div><br></div><div><div style="color:rgb(33,33,33)">[2018-11-08T05:18:28.93Z] [DEBUG] - Creating k8s apiserver</div><div style="color:rgb(33,33,33)">[2018-11-08T05:18:28.932Z] [ERROR] - Unable to retrieve cluster roles rules from cluster</div><div style="color:rgb(33,33,33)"> You must be using OpenShift 3.7 to use the User rules check.</div><div style="color:rgb(33,33,33)"><a href="http://clusterroles.rbac.authorization.k8s.io/" target="_blank">clusterroles.rbac.authorization.k8s.io</a> "admin" is forbidden: User "system:serviceaccount:automation-broker:automation-broker" cannot get <a href="http://clusterroles.rbac.authorization.k8s.io/" target="_blank">clusterroles.rbac.authorization.k8s.io</a> at the cluster scope<br><br>I will first verify that updating the images to the latest broker fixes the issue, update the "latest" automation-broker-apb, and add a comment to the blog post.</div></div><div style="color:rgb(33,33,33)"><br></div><div style="color:rgb(33,33,33)">One caveat, it appears there are 251 bundles when the helm adapter is enabled and looking at all of the stable helm charts. The startup sequence for the broker will take some time and it may be better to:</div><div style=""><ol style=""><li style="color:rgb(33,33,33)"><span class="inbox-inbox-pl-ent" style="box-sizing:border-box;color:rgb(34,134,58);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre">wait_for_broker<span style="color:rgb(36,41,46)">: </span><span class="inbox-inbox-pl-c1" style="box-sizing:border-box;color:rgb(0,92,197)">false</span><br></span></li><li style=""><span class="inbox-inbox-pl-ent" style="color:rgb(34,134,58);box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre">broker_probe_initial_delay</span><span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre">: </span><span style="font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre"><font color="#005cc5">300</font></span></li></ol><div><span style="color:rgb(33,33,33)">I'll be sure to add these notes in any comment/update I make to the blog post.</span><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Nov 8, 2018 at 10:43 AM Shawn Hurley <<a href="mailto:shurley@redhat.com">shurley@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Which version of the automation broker are you using and how are you<br>
deploying? I think you will probably want to look into either the 1.<br>
Auto Escalate config value or 2. The permissions of the<br>
automation-broker that you are granting<br>
<br>
Thanks,<br>
<br>
Shawn Hurley<br>
On Thu, Nov 8, 2018 at 1:10 AM Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:<br>
><br>
> When the pod of OAB starts, then this error message appears<br>
><br>
> [2018-11-08T05:18:28.93Z] [DEBUG] - Creating k8s apiserver<br>
> [2018-11-08T05:18:28.932Z] [ERROR] - Unable to retrieve cluster roles rules from cluster<br>
>  You must be using OpenShift 3.7 to use the User rules check.<br>
> <a href="http://clusterroles.rbac.authorization.k8s.io" rel="noreferrer" target="_blank">clusterroles.rbac.authorization.k8s.io</a> "admin" is forbidden: User "system:serviceaccount:automation-broker:automation-broker" cannot get <a href="http://clusterroles.rbac.authorization.k8s.io" rel="noreferrer" target="_blank">clusterroles.rbac.authorization.k8s.io</a> at the cluster scope<br>
><br>
><br>
><br>
><br>
> On Wed, Nov 7, 2018 at 10:19 PM Charles Moulliard <<a href="mailto:cmoullia@redhat.com" target="_blank">cmoullia@redhat.com</a>> wrote:<br>
>><br>
>> Hi<br>
>><br>
>> I'm trying to install OAB on k8s v1.11 according to the info reported here [1] and that fails as the k8s service catalog can't access the broker [2]<br>
>><br>
>> Can OAB be deployed on k8s ? Is there a workaround ?<br>
>><br>
>> [1] <a href="https://blog.openshift.com/automation-broker-discovering-helm-charts/" rel="noreferrer" target="_blank">https://blog.openshift.com/automation-broker-discovering-helm-charts/</a><br>
>> [2] <a href="https://goo.gl/8F3WxV" rel="noreferrer" target="_blank">https://goo.gl/8F3WxV</a><br>
>><br>
>> Regards<br>
>><br>
>> Charles<br>
><br>
> _______________________________________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/ansible-service-broker</a><br>
<br>
_______________________________________________<br>
Ansible-service-broker mailing list<br>
<a href="mailto:Ansible-service-broker@redhat.com" target="_blank">Ansible-service-broker@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/ansible-service-broker</a><br>
</blockquote></div>