Re: Deployment getting deleted when running configure.yml again

2018-01-30 Thread Joel Pearson 
I presume you’re running OpenShift 3.7?

If you’re running the new template broker (openshift-ansible installs it)
it has a nasty bug that does what you describe. But you can work around it
by removing an owner reference see:

https://lists.openshift.redhat.com/openshift-archives/users/2018-January/msg00045.html
On Tue, 30 Jan 2018 at 9:53 pm, Alon Zusman  wrote:

> Hello,
> I have an OpenShift cluster with 3 masters, 3 infra, 3 nodes.
>
> I change the cluster configuration from a time to time and whenever I run
> config.yml (after the first time) all the deployments that were created
> using a provisioned service being deleted.
>
> That is a huge problem for me.
> Am I missing something? Should I be running a different playbook?
> Thank you.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Headless services without selectors are forbidden in OpenShift

2018-01-30 Thread Clayton Coleman 
You can grant the role to the user to let them set it.  However, that
lets that app escape any network isolation boundaries so the
multitenant network plugin won’t work.

You can also grant that permission to all users if you don’t need the
protection.

> On Jan 30, 2018, at 3:18 PM, Tomas Nozicka  wrote:
>
> I need to direct Route/Service traffic from one namespace to another
> which I have permissions to. (Possibly even the same namespace as
> well.) Reading Kubernetes documentation[1] Services without selectors
> seem to be the way to do it. It requires you to set Endpoints manually
> (e.g. to Service or pod in another namespace) but OpenShift will forbid
> you from doing that.
>
> Error from server (Forbidden): error when creating "endpoints.yaml":
> endpoints "my-service" is forbidden: endpoint address 10.131.xxx.xxx is
> not allowed
>
> It requires you to have endpoints/restricted permission regular users
> don't have.
>
> Is that intentional? What are the reasons? (I think this is the place
> forbidding it [2].)
>
> How else can regular user do this? (Except running "redirecting" pod
> which is fragile.)
>
> Thanks,
> Tomas
>
> [1] - https://kubernetes.io/docs/concepts/services-networking/service/#
> headless-services
> [2] - https://github.com/openshift/origin/blob/de21f148d1ca66ca2bfd2011
> 36c2e99ebda767e9/pkg/service/admission/endpoint_admission.go#L121
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Headless services without selectors are forbidden in OpenShift

2018-01-30 Thread Tomas Nozicka 
I need to direct Route/Service traffic from one namespace to another
which I have permissions to. (Possibly even the same namespace as
well.) Reading Kubernetes documentation[1] Services without selectors
seem to be the way to do it. It requires you to set Endpoints manually
(e.g. to Service or pod in another namespace) but OpenShift will forbid
you from doing that.

Error from server (Forbidden): error when creating "endpoints.yaml":
endpoints "my-service" is forbidden: endpoint address 10.131.xxx.xxx is
not allowed

It requires you to have endpoints/restricted permission regular users
don't have.

Is that intentional? What are the reasons? (I think this is the place
forbidding it [2].)

How else can regular user do this? (Except running "redirecting" pod
which is fragile.)

Thanks,
Tomas

[1] - https://kubernetes.io/docs/concepts/services-networking/service/#
headless-services
[2] - https://github.com/openshift/origin/blob/de21f148d1ca66ca2bfd2011
36c2e99ebda767e9/pkg/service/admission/endpoint_admission.go#L121

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: hostPath not working for me

2018-01-30 Thread Vyacheslav Semushin 
There is a dedicated SCC that allows access to hostPath -- "hostaccess". In
this case, you won't need to modify "restricted" SCC. Also, I see that you
granted "anyuid" SCC to the user/SA. If you need to have a both permissions
(any uid and access to host), you can grant access to "hostmount-anyuid"
SCC.

2018-01-30 12:42 GMT+01:00 Guillermo Gómez :

> Hi, im trying to use hostPath working on my v3 installation withouth luck
> so far.
>
> The error i have is
>
> -->  FailedCreate: app1-6 Error creating: pods "app1-6-" is forbidden:
> unable to validate against any security context constraint: [provider
> anyuid: .spec.containers[0].securityContext.volumes[0]: Invalid value:
> "hostPath": hostPath volumes are not allowed to be used provider
> restricted: .spec.containers[0].securityContext.volumes[0]: Invalid
> value: "hostPath": hostPath volumes are not allowed to be used]
>
> Tried
>
> https://docs.openshift.org/3.6/admin_guide/manage_scc.html#
> use-the-hostpath-volume-plugin
>
> and still having the same error.
>
> What am im doing wrong?
>
> Im in troubles with this setup and dont know what else to do, we want to
> keep Origin in our premises, please help.
>
> Guillermo Gómez Savino
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


-- 
Slava Semushin | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

hostPath not working for me

2018-01-30 Thread Guillermo Gómez 
Hi, im trying to use hostPath working on my v3 installation withouth luck
so far.

The error i have is

-->  FailedCreate: app1-6 Error creating: pods "app1-6-" is forbidden:
unable to validate against any security context constraint: [provider
anyuid: .spec.containers[0].securityContext.volumes[0]: Invalid value:
"hostPath": hostPath volumes are not allowed to be used provider
restricted: .spec.containers[0].securityContext.volumes[0]: Invalid value:
"hostPath": hostPath volumes are not allowed to be used]

Tried

https://docs.openshift.org/3.6/admin_guide/manage_scc.html#use-the-hostpath-volume-plugin

and still having the same error.

What am im doing wrong?

Im in troubles with this setup and dont know what else to do, we want to
keep Origin in our premises, please help.

Guillermo Gómez Savino
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Deployment getting deleted when running configure.yml again

2018-01-30 Thread Alon Zusman 
 
 

 Hello,  
 
I have an OpenShift cluster with 3 masters, 3 infra, 3 nodes.
 

 
I change the cluster configuration from a time to time and whenever I run 
config.yml (after the first time) all the deployments that were created using a 
provisioned service being deleted.
 

 
That is a huge problem for me.
 
Am I missing something? Should I be running a different playbook?  
 
Thank you.
 

 
 

 
 ___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users