[kontinuity-dev-public] Jenkins service account does not work on slaves (only on master)
Tomas Nozicka
tnozicka at redhat.com
Sun Jun 19 18:18:27 UTC 2016
Inline.
On Ne, 2016-06-19 at 09:31 -0700, Ben Parees wrote:
> > Do you think we could add some permission to jenkins service
> account to allow this:
> >
> > + oc policy add-role-to-user system:image-puller
> system:serviceaccount:test-prod:default --namespace=test
> No I don't think we can do that, that's a specific grant to a
> specific project that not all users will have. We can only add
> permissions relative to the current project(in your case, catapult I
> believe). There are really two problems: 1) the user may not have
> permission to grant themselves access to another project (you are
> presumably running that command as cluster admin) and 2) the project
> name is specific to your scenario.
> So this is something you'll have to set up explicitly.
I feel like you misunderstood my point and I should have been clearer
about it.
I don't want you to setup that access to another project. I am
perfectly ok with issuing that command by myself:
oc policy add-role-to-user system:image-
puller system:serviceaccount:test-prod:default --namespace=test
What I have asked you to do is to setup RoleBinding in jenkins
template, like:
https://github.com/openshift/origin/blob/master/examples/jenkins/pipe
line/jenkinstemplate.json#L153
You currently set up only RoleBinding to role "edit". And that does not
seem to be enough, because I get error:
Error from server: User "system:serviceaccount:test:jenkins"
cannot get policybindings in project "test"
And I am not sure which one is needed for this type of action.
And no, I don't use admin account there. I have created first project
by UI logged as user "openshift-dev" and the second namespace was
created by service account jenkins from the first namespace.
I can create any services, deployments, ... in both projects through
the service account so I already have permissions to do almost anything
to those projects. But cannot connect one to each other so the
deployment in second namespace can be allowed to deploy from
ImageStream in first namespace.
> >
> > Error from server: User "system:serviceaccount:test:jenkins" cannot
> get policybindings in project "test"
> >
> >
> > It is the last think that does not work with using service accounts
> right now in my pipeline.
> >
> > Thanks,
> > Tomas
> >
> >>
> >>
> >>>
> >>>
> >>> Thanks,
> >>> Tomas
> >>>
> >>
> >>
More information about the kontinuity-dev-public
mailing list