[Ansible-service-broker] Issue with playbook of ansible service broker - missing networkpolicies

Fri Mar 2 14:24:05 UTC 2018

Something is not right here. The original error message posted was:

[2018-02-28T20:33:59.598Z] [ERROR] - *unable to create network policy
object - User "system:serviceaccount:openshift-ansible-service-broker:asb"
cannot create networkpolicies.networking.k8s.io
<http://networkpolicies.networking.k8s.io/> in the namespace "project31":
User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot
create networkpolicies.networking.k8s.io
<http://networkpolicies.networking.k8s.io/> in project "project31"
(post networkpolicies.networking.k8s.io
<http://networkpolicies.networking.k8s.io/>)*

and it comes from
https://github.com/openshift/ansible-service-broker/blob/ff1f14a421dbdab5834ebd994615081db0f09ac5/pkg/runtime/runtime.go#L225
but
pkg/runtime/runtime.go does not exist in the v3.7 image:

$ docker pull
docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7
Trying to pull repository
docker.io/ansibleplaybookbundle/origin-ansible-service-broker ...
sha256:25026da783b7b8777f07fc90fefd037bb785424d5a7f364875e9df6d0321d76b:
Pulling from docker.io/ansibleplaybookbundle/origin-ansible-service-broker
Digest:
sha256:25026da783b7b8777f07fc90fefd037bb785424d5a7f364875e9df6d0321d76b
Status: Image is up to date for
docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7

$ docker run -it --entrypoint /bin/bash
docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7
bash-4.2$ ls $GOPATH/src/
github.com/openshift/ansible-service-broker/pkg/runtime
hack.go
# Furthermore, searching for that error message in the v3.7 image shows
that error doesn't exist in the v3.7 image
bash-4.2$ grep -r 'unable to create' $GOPATH/src/
github.com/openshift/ansible-service-broker/pkg

The most likely cause for this is that the broker image was not updated. I
am open to other possibilities, could you rule this one out please?

Respectfully,
David Zager

On Fri, Mar 2, 2018 at 9:12 AM Ryan Hallisey <rhallise at redhat.com> wrote:

> In case this helps Charles, a temporary work around would be to: oc edit
> clusterrole asb-auth
>
> and add:
>
>   - apiGroups: ["network.openshift.io", ""]
>     attributeRestrictions: null
>     resources: ["clusternetworks", "netnamespaces"]
>     verbs: ["get"]
>   - apiGroups: ["network.openshift.io", ""]
>     attributeRestrictions: null
>     resources: ["netnamespaces"]
>     verbs: ["update"]
>   - apiGroups: ["networking.k8s.io", ""]
>     attributeRestrictions: null
>     resources: ["networkpolicies"]
>     verbs: ["create", "delete"]
>
>
> Thanks,
> - Ryan
>
> On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <cmoullia at redhat.com>
> wrote:
>
>> We have redeployed using openshift-ansible playbook ASB using image v3.,7
>> and networkpolicies issue is still there
>>
>> On Thu, Mar 1, 2018 at 4:19 PM, David Zager <dzager at redhat.com> wrote:
>>
>>> Greetings Charles,
>>>
>>> The image in question,
>>> docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7
>>> <https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/>
>>> has been updated to be built using the code from the release-1.0
>>> <https://github.com/openshift/ansible-service-broker/tree/release-1.0> branch
>>> of the broker project. Apologies for the trouble and thank you for helping
>>> us find the root cause.
>>>
>>> https://github.com/openshift/ansible-service-broker/pull/803 should
>>> prevent this from happening in the future.
>>>
>>> Respectfully,
>>> David Zager
>>>
>>> On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <shurley at redhat.com> wrote:
>>>
>>>> Hello Charles,
>>>>
>>>> It appears that we have had a little mix up on the versions that we
>>>> tagged. You are currently getting the canary version of the broker.
>>>> We are working on rebuilding and re-tagging the correct images and will
>>>> keep everyone informed with this email thread. Sorry about the mix up.
>>>>
>>>> Thanks,
>>>>
>>>> Shawn Hurley
>>>>
>>>> On Mar 1, 2018, at 12:40 AM, Charles Moulliard <cmoullia at redhat.com>
>>>> wrote:
>>>>
>>>> I confirm that version 3.7 has been installed
>>>>
>>>>
>>>> https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%202018-03-01%2006.39.40.png?dl=0
>>>>
>>>>
>>>> On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <ernelson at redhat.com>
>>>> wrote:
>>>>
>>>>> Charles, you guys are deploying upstream origin with
>>>>> openshift-ansible? We discovered today thanks to your report that the
>>>>> upstream openshift-ansible code was configured to default to "latest"
>>>>> broker images, which is our 3.9 image. I will see if I can reproduce
>>>>> your issue as well.
>>>>>
>>>>> +1 to shurley's comment, we have to confirm what version of the image
>>>>> you are running, via tag.
>>>>>
>>>>> On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <shurley at redhat.com>
>>>>> wrote:
>>>>> > Hi Charles,
>>>>> >
>>>>> > v3.7 should not be attempting to anything with network policies, can
>>>>> you
>>>>> > please double check the deployment config and tell us the version of
>>>>> the
>>>>> > image that is being deployed. If it is 3.7 then we have another
>>>>> issue that
>>>>> > we will need to solve.
>>>>> >
>>>>> > ansible_service_broker_image_tag should override the tag value, if
>>>>> that is
>>>>> > not working then we will need to do a deeper dive on the
>>>>> openshift-ansible
>>>>> > code.
>>>>> >
>>>>> > If you would like to just “work around” this then you could add a
>>>>> cluster
>>>>> > role binding and role to grant access to the asb service account to
>>>>> > manipulate the network policies.
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> > Shawn Hurley
>>>>> >
>>>>> > On Feb 28, 2018, at 3:44 PM, Charles Moulliard <cmoullia at redhat.com>
>>>>> wrote:
>>>>> >
>>>>> > Hi,
>>>>> >
>>>>> > There is still an issue with the ansible playbook installing ASB on
>>>>> > openshift 3.7
>>>>> > When the inventory is configured using these parameters
>>>>> >
>>>>> > git clone -b release-3.7 git at github.com
>>>>> :openshift/openshift-ansible.git
>>>>> >
>>>>> > openshift_enable_service_catalog=true
>>>>> > ansible_service_broker_registry_whitelist=['.*-apb$']
>>>>> > ansible_service_broker_image_tag=v3.7
>>>>> >
>>>>> > then, the following error is reported within the APB pod during
>>>>> > serviceinstance creation
>>>>> >
>>>>> > [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding
>>>>> > apb-49d8c2a2-6d12-474c-87a2-a220bda6ba0d
>>>>> > [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network policy
>>>>> object
>>>>> > - User "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>>> cannot
>>>>> > create networkpolicies.networking.k8s.io in the namespace
>>>>> "project31": User
>>>>> > "system:serviceaccount:openshift-ansible-service-broker:asb" cannot
>>>>> create
>>>>> > networkpolicies.networking.k8s.io in project "project31" (post
>>>>> > networkpolicies.networking.k8s.io)
>>>>> >  project "project31" (post networkpolicies.networking.k8s.io)
>>>>> >
>>>>> > As you can see, the clusterrole of asb-auth is still missing the
>>>>> following
>>>>> > info
>>>>> > https://goo.gl/HfJnj8
>>>>> >
>>>>> > Can somebody fix the error please for ansible openshift 3.7 ?
>>>>> >
>>>>> > Regards
>>>>> >
>>>>> > Charles
>>>>> > _______________________________________________
>>>>> > Ansible-service-broker mailing list
>>>>> > Ansible-service-broker at redhat.com
>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>> >
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > Ansible-service-broker mailing list
>>>>> > Ansible-service-broker at redhat.com
>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>> >
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ansible-service-broker mailing list
>>>> Ansible-service-broker at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>
>>>
>>
>> _______________________________________________
>> Ansible-service-broker mailing list
>> Ansible-service-broker at redhat.com
>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180302/7af21fbf/attachment.htm>