<div dir="ltr">Hmhmh. The rule is not there. <div><br></div><div><div>apiVersion: v1</div><div>kind: ClusterRole</div><div>metadata:</div><div>  creationTimestamp: 2018-01-26T10:33:15Z</div><div>  name: asb-auth</div><div>  resourceVersion: "4154"</div><div>  selfLink: /oapi/v1/clusterroles/asb-auth</div><div>  uid: 512a7de2-0284-11e8-bd96-8a164c505ef4</div><div>rules:</div><div>- apiGroups:</div><div>  - ""</div><div>  attributeRestrictions: null</div><div>  resources:</div><div>  - namespaces</div><div>  verbs:</div><div>  - create</div><div>  - delete</div><div>- apiGroups:</div><div>  - <a href="http://authorization.openshift.io">authorization.openshift.io</a></div><div>  attributeRestrictions: null</div><div>  resources:</div><div>  - subjectrulesreview</div><div>  verbs:</div><div>  - create</div><div>- apiGroups:</div><div>  - <a href="http://authorization.k8s.io">authorization.k8s.io</a></div><div>  attributeRestrictions: null</div><div>  resources:</div><div>  - subjectaccessreviews</div><div>  verbs:</div><div>  - create</div><div>- apiGroups:</div><div>  - <a href="http://authentication.k8s.io">authentication.k8s.io</a></div><div>  attributeRestrictions: null</div><div>  resources:</div><div>  - tokenreviews</div><div>  verbs:</div><div>  - create</div></div><div><br></div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px"><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jan 26, 2018 at 2:04 PM, Ryan Hallisey <span dir="ltr"><<a href="mailto:rhallise@redhat.com" target="_blank">rhallise@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I could be wrong, but I think the User<br>
"system:serviceaccount:<wbr>ansible-service-broker:asb" is only allowed to<br>
create networkpolicies in the namespace ansible-service-broker.<br>
<br>
Also let's double check your user has the correct permissions. See if<br>
you find the rule below in `kubectl get clusterrole asb-auth -o yaml`.<br>
<br>
- apiGroups: ["<a href="http://networking.k8s.io" rel="noreferrer" target="_blank">networking.k8s.io</a>", ""]<br>
  attributeRestrictions: null<br>
  resources: ["networkpolicies"]<br>
  verbs: ["create", "delete"]<br>
<div><div class="h5"><br>
On Fri, Jan 26, 2018 at 7:28 AM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com">cmoullia@redhat.com</a>> wrote:<br>
> If I look to the log of the ASB pod, then I see such error when AS B tries<br>
> to create the network resource within the "test" namespace<br>
><br>
> [2018-01-26T12:02:41.757Z] [DEBUG] - Creating network policy for pod:<br>
> apb-36748357-1681-44b8-be32-<wbr>6e0cc12ec606 to grant network access to ns: test<br>
> [2018-01-26T12:02:41.758Z] [ERROR] - unable to create network policy object<br>
> - User "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in the namespace "test": User<br>
> "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in project "test" (post<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a>)<br>
> [2018-01-26T12:02:41.758Z] [ERROR] - User<br>
> "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in the namespace "test": User<br>
> "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in project "test" (post<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a>)<br>
> [2018-01-26T12:02:41.758Z] [ERROR] - Problem executing apb<br>
> [apb-36748357-1681-44b8-be32-<wbr>6e0cc12ec606] provision - err: User<br>
> "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in the namespace "test": User<br>
> "system:serviceaccount:<wbr>ansible-service-broker:asb" cannot create<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a> in project "test" (post<br>
> <a href="http://networkpolicies.networking.k8s.io" rel="noreferrer" target="_blank">networkpolicies.networking.<wbr>k8s.io</a>)<br>
><br>
> Is it the reason of my issue ? If yes, how can we resolve the problem ?<br>
><br>
><br>
> On Fri, Jan 26, 2018 at 1:06 PM, Charles Moulliard <<a href="mailto:cmoullia@redhat.com">cmoullia@redhat.com</a>><br>
> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> I have used the Openshift UI screens to install under "test" namespace the<br>
>> MySQL service instance<br>
>> and I get such errors if I look to the "events"<br>
>><br>
>><br>
>> <a href="https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot%202018-01-26%2013.04.33.png?dl=0" rel="noreferrer" target="_blank">https://www.dropbox.com/s/<wbr>5cptnq47zf8rava/Screenshot%<wbr>202018-01-26%2013.04.33.png?<wbr>dl=0</a><br>
>><br>
>> ServiceBinding cannot begin because referenced ServiceInstance<br>
>> "test/dh-mysql-apb-7wzcr" is not ready<br>
>> Provision call failed: Error occurred during provision. Please contact<br>
>> administrator if it persists.<br>
>><br>
>> Project has been installed on OCP 3.7 with option --service-catalog<br>
>> and Ansible Broker using the following template<br>
>><br>
>> oc new-project ansible-service-broker<br>
>> curl -s<br>
>> <a href="https://raw.githubusercontent.com/openshift/ansible-service-broker/master/templates/simple-broker-template.yaml" rel="noreferrer" target="_blank">https://raw.githubusercontent.<wbr>com/openshift/ansible-service-<wbr>broker/master/templates/<wbr>simple-broker-template.yaml</a><br>
>> | oc process -n "ansible-service-broker" -f - | oc create -f -<br>
>><br>
>> How can I troubleshoot such errors ?<br>
>><br>
>> Regards<br>
>><br>
>> Charles<br>
>><br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Ansible-service-broker mailing list<br>
> <a href="mailto:Ansible-service-broker@redhat.com">Ansible-service-broker@redhat.<wbr>com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/ansible-service-broker" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/ansible-<wbr>service-broker</a><br>
><br>
</blockquote></div><br></div></div>