[kontinuity-dev-public] Jenkins service account does not work on slaves (only on master)

Mon Jun 20 14:36:01 UTC 2016

On Jun 20, 2016 4:52 AM, "Tomas Nozicka" <tnozicka at redhat.com> wrote:
>
> On Ne, 2016-06-19 at 20:18 +0200, Tomas Nozicka wrote:
> > Inline.
> >
> > On Ne, 2016-06-19 at 09:31 -0700, Ben Parees wrote:
> > >
> > > >
> > > > Do you think we could add some permission to jenkins service
> > > account to allow this:
> > > >
> > > >
> > > > + oc policy add-role-to-user system:image-puller
> > > system:serviceaccount:test-prod:default --namespace=test
> > > No I don't think we can do that, that's a specific grant to a
> > > specific project that not all users will have. We can only add
> > > permissions relative to the current project(in your case, catapult
> > > I
> > > believe). There are really two problems: 1) the user may not have
> > > permission to grant themselves access to another project (you are
> > > presumably running that command as cluster admin) and 2) the
> > > project
> > > name is specific to your scenario.
> > > So this is something you'll have to set up explicitly.
> > I feel like you misunderstood my point and I should have been clearer
> > about it.
> >
> > I don't want you to setup that access to another project. I am
> > perfectly ok with issuing that command by myself:
> >
> >  oc policy add-role-to-user system:image-
> > puller system:serviceaccount:test-prod:default --namespace=test
> >
> > What I have asked you to do is to setup RoleBinding in jenkins
> > template, like:
> >   https://github.com/openshift/origin/blob/master/examples/jenkins/pi
> > pe
> > line/jenkinstemplate.json#L153
> > You currently set up only RoleBinding to role "edit". And that does
> > not
> > seem to be enough, because I get error:
> >
> >   Error from server: User "system:serviceaccount:test:jenkins"
> > cannot get policybindings in project "test"
> >
> > And I am not sure which one is needed for this type of action.
>
>
>
> > And no, I don't use admin account there. I have created first project
> > by UI logged as user "openshift-dev" and the second namespace was
> > created by service account jenkins from the first namespace.
> > I can create any services, deployments, ... in both projects through
> > the service account so I already have permissions to do almost
> > anything
> > to those projects. But cannot connect one to each other so the
> > deployment in second namespace can be allowed to deploy from
> > ImageStream in first namespace.
> The last paragraph I wrote is not true. I must have had modified
> cluster policies or did something else :( I have recreated my cluster
> and I am running into (justified) permission denials. I am really sorry
> about the confusion.
>
> So considering this is the week, I am not going to pursue the idea of
> separating dev from prod through namespace for now.

+1 to both pursuing the separation ultimately, and cutting it from the
release criteria for Summit.  Creating projects on behalf of users is
something we'll have to get in for OpenShift Online.  Thanks for starting
work on it!

>
> Thanks everybody for their help so far!
> --
> Tomas
>
> >
> >
> > >
> > > >
> > > >
> > > > Error from server: User "system:serviceaccount:test:jenkins"
> > > > cannot
> > > get policybindings in project "test"
> > > >
> > > >
> > > >
> > > > It is the last think that does not work with using service
> > > > accounts
> > > right now in my pipeline.
> > > >
> > > >
> > > > Thanks,
> > > > Tomas
> > > >
> > > > >
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Tomas
> > > > > >
> > > > >
>
> _______________________________________________
> kontinuity-dev-public mailing list
> kontinuity-dev-public at redhat.com
> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/kontinuity-dev-public/attachments/20160620/a7cc9a0e/attachment.htm>