[Ansible-service-broker] Issue with playbook of ansible service broker - missing networkpolicies

Charles Moulliard cmoullia at redhat.com
Fri Mar 2 19:33:11 UTC 2018 

This is my fault as the docker image
docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.7 wasn't
updated and still the old one.

I have redeployed and the problem is gone. Thanks

On Fri, Mar 2, 2018 at 3:24 PM, David Zager <dzager at redhat.com> wrote:

> Something is not right here. The original error message posted was:
>
> [2018-02-28T20:33:59.598Z] [ERROR] - *unable to create network policy
> object - User "system:serviceaccount:openshift-ansible-service-broker:asb"
> cannot create networkpolicies.networking.k8s.io
> <http://networkpolicies.networking.k8s.io/> in the namespace "project31":
> User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot
> create networkpolicies.networking.k8s.io
> <http://networkpolicies.networking.k8s.io/> in project "project31"
> (post networkpolicies.networking.k8s.io
> <http://networkpolicies.networking.k8s.io/>)*
>
> and it comes from https://github.com/openshift/
> ansible-service-broker/blob/ff1f14a421dbdab5834ebd99461508
> 1db0f09ac5/pkg/runtime/runtime.go#L225 but pkg/runtime/runtime.go does
> not exist in the v3.7 image:
>
> $ docker pull docker.io/ansibleplaybookbundle/origin-
> ansible-service-broker:v3.7
> Trying to pull repository docker.io/ansibleplaybookbundle/origin-
> ansible-service-broker ...
> sha256:25026da783b7b8777f07fc90fefd037bb785424d5a7f364875e9df6d0321d76b:
> Pulling from docker.io/ansibleplaybookbundle/origin-ansible-service-broker
> Digest: sha256:25026da783b7b8777f07fc90fefd03
> 7bb785424d5a7f364875e9df6d0321d76b
> Status: Image is up to date for docker.io/ansibleplaybookbundle/origin-
> ansible-service-broker:v3.7
>
> $ docker run -it --entrypoint /bin/bash docker.io/
> ansibleplaybookbundle/origin-ansible-service-broker:v3.7
> bash-4.2$ ls $GOPATH/src/github.com/openshift/ansible-service-
> broker/pkg/runtime
> hack.go
> # Furthermore, searching for that error message in the v3.7 image shows
> that error doesn't exist in the v3.7 image
> bash-4.2$ grep -r 'unable to create' $GOPATH/src/github.com/
> openshift/ansible-service-broker/pkg
>
> The most likely cause for this is that the broker image was not updated. I
> am open to other possibilities, could you rule this one out please?
>
> Respectfully,
> David Zager
>
>
>
> On Fri, Mar 2, 2018 at 9:12 AM Ryan Hallisey <rhallise at redhat.com> wrote:
>
>> In case this helps Charles, a temporary work around would be to: oc edit
>> clusterrole asb-auth
>>
>> and add:
>>
>>   - apiGroups: ["network.openshift.io", ""]
>>     attributeRestrictions: null
>>     resources: ["clusternetworks", "netnamespaces"]
>>     verbs: ["get"]
>>   - apiGroups: ["network.openshift.io", ""]
>>     attributeRestrictions: null
>>     resources: ["netnamespaces"]
>>     verbs: ["update"]
>>   - apiGroups: ["networking.k8s.io", ""]
>>     attributeRestrictions: null
>>     resources: ["networkpolicies"]
>>     verbs: ["create", "delete"]
>>
>>
>> Thanks,
>> - Ryan
>>
>> On Fri, Mar 2, 2018 at 9:03 AM, Charles Moulliard <cmoullia at redhat.com>
>> wrote:
>>
>>> We have redeployed using openshift-ansible playbook ASB using image
>>> v3.,7 and networkpolicies issue is still there
>>>
>>> On Thu, Mar 1, 2018 at 4:19 PM, David Zager <dzager at redhat.com> wrote:
>>>
>>>> Greetings Charles,
>>>>
>>>> The image in question, docker.io/ansibleplaybookbundle/origin-
>>>> ansible-service-broker:v3.7
>>>> <https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/>
>>>> has been updated to be built using the code from the release-1.0
>>>> <https://github.com/openshift/ansible-service-broker/tree/release-1.0> branch
>>>> of the broker project. Apologies for the trouble and thank you for helping
>>>> us find the root cause.
>>>>
>>>> https://github.com/openshift/ansible-service-broker/pull/803 should
>>>> prevent this from happening in the future.
>>>>
>>>> Respectfully,
>>>> David Zager
>>>>
>>>> On Thu, Mar 1, 2018 at 9:45 AM Shawn Hurley <shurley at redhat.com> wrote:
>>>>
>>>>> Hello Charles,
>>>>>
>>>>> It appears that we have had a little mix up on the versions that we
>>>>> tagged. You are currently getting the canary version of the broker.
>>>>> We are working on rebuilding and re-tagging the correct images and
>>>>> will keep everyone informed with this email thread. Sorry about the mix up.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Shawn Hurley
>>>>>
>>>>> On Mar 1, 2018, at 12:40 AM, Charles Moulliard <cmoullia at redhat.com>
>>>>> wrote:
>>>>>
>>>>> I confirm that version 3.7 has been installed
>>>>>
>>>>> https://www.dropbox.com/s/h7m72h23k7myjyw/Screenshot%
>>>>> 202018-03-01%2006.39.40.png?dl=0
>>>>>
>>>>>
>>>>> On Thu, Mar 1, 2018 at 12:47 AM, Erik Nelson <ernelson at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Charles, you guys are deploying upstream origin with
>>>>>> openshift-ansible? We discovered today thanks to your report that the
>>>>>> upstream openshift-ansible code was configured to default to "latest"
>>>>>> broker images, which is our 3.9 image. I will see if I can reproduce
>>>>>> your issue as well.
>>>>>>
>>>>>> +1 to shurley's comment, we have to confirm what version of the image
>>>>>> you are running, via tag.
>>>>>>
>>>>>> On Wed, Feb 28, 2018 at 6:42 PM, Shawn Hurley <shurley at redhat.com>
>>>>>> wrote:
>>>>>> > Hi Charles,
>>>>>> >
>>>>>> > v3.7 should not be attempting to anything with network policies,
>>>>>> can you
>>>>>> > please double check the deployment config and tell us the version
>>>>>> of the
>>>>>> > image that is being deployed. If it is 3.7 then we have another
>>>>>> issue that
>>>>>> > we will need to solve.
>>>>>> >
>>>>>> > ansible_service_broker_image_tag should override the tag value, if
>>>>>> that is
>>>>>> > not working then we will need to do a deeper dive on the
>>>>>> openshift-ansible
>>>>>> > code.
>>>>>> >
>>>>>> > If you would like to just “work around” this then you could add a
>>>>>> cluster
>>>>>> > role binding and role to grant access to the asb service account to
>>>>>> > manipulate the network policies.
>>>>>> >
>>>>>> > Regards,
>>>>>> >
>>>>>> > Shawn Hurley
>>>>>> >
>>>>>> > On Feb 28, 2018, at 3:44 PM, Charles Moulliard <cmoullia at redhat.com>
>>>>>> wrote:
>>>>>> >
>>>>>> > Hi,
>>>>>> >
>>>>>> > There is still an issue with the ansible playbook installing ASB on
>>>>>> > openshift 3.7
>>>>>> > When the inventory is configured using these parameters
>>>>>> >
>>>>>> > git clone -b release-3.7 git at github.com:openshift/
>>>>>> openshift-ansible.git
>>>>>> >
>>>>>> > openshift_enable_service_catalog=true
>>>>>> > ansible_service_broker_registry_whitelist=['.*-apb$']
>>>>>> > ansible_service_broker_image_tag=v3.7
>>>>>> >
>>>>>> > then, the following error is reported within the APB pod during
>>>>>> > serviceinstance creation
>>>>>> >
>>>>>> > [2018-02-28T20:33:59.585Z] [NOTICE] - Creating RoleBinding
>>>>>> > apb-49d8c2a2-6d12-474c-87a2-a220bda6ba0d
>>>>>> > [2018-02-28T20:33:59.598Z] [ERROR] - unable to create network
>>>>>> policy object
>>>>>> > - User "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>>>> cannot
>>>>>> > create networkpolicies.networking.k8s.io in the namespace
>>>>>> "project31": User
>>>>>> > "system:serviceaccount:openshift-ansible-service-broker:asb"
>>>>>> cannot create
>>>>>> > networkpolicies.networking.k8s.io in project "project31" (post
>>>>>> > networkpolicies.networking.k8s.io)
>>>>>> >  project "project31" (post networkpolicies.networking.k8s.io)
>>>>>> >
>>>>>> > As you can see, the clusterrole of asb-auth is still missing the
>>>>>> following
>>>>>> > info
>>>>>> > https://goo.gl/HfJnj8
>>>>>> >
>>>>>> > Can somebody fix the error please for ansible openshift 3.7 ?
>>>>>> >
>>>>>> > Regards
>>>>>> >
>>>>>> > Charles
>>>>>> > _______________________________________________
>>>>>> > Ansible-service-broker mailing list
>>>>>> > Ansible-service-broker at redhat.com
>>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > Ansible-service-broker mailing list
>>>>>> > Ansible-service-broker at redhat.com
>>>>>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ansible-service-broker mailing list
>>>>> Ansible-service-broker at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Ansible-service-broker mailing list
>>> Ansible-service-broker at redhat.com
>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180302/5970b05d/attachment.htm>

More information about the Ansible-service-broker mailing list