The username needs to be the fully qualified name for the SA. So something like `oadm policy add-cluster-role-to-user <ROLE> system:serviceaccount: default:pruner`
On Fri, Jan 22, 2016 at 9:52 AM, Gilbert Roulot < [email protected]> wrote: > Thanks, > > we are doing that, using a new service account with the cluster-admin > role, and try pruning: > > oadm --token='843 chat long token here' prune builds --orphans > --keep-complete=5 --keep-failed=1 --keep-younger-than=60m --confirm > Error from server: User "system:serviceaccount:default:pruner" cannot list > all buildconfigs in the cluster > > But the policy says otherwise: > oadm policy who-can list bc --all-namespaces=true > Namespace: <all> > Verb: list > Resource: bc > > Users: admin > pruner > > Groups: system:cluster-admins > system:masters > > > This is on Openshift 1.1, what could be the problem ? > > > Regards. > > > > 2016-01-21 14:46 GMT+01:00 David Eads <[email protected]>: > >> For cases where you want a long lived token, we recommend that you create >> a service account, grant that SA the rights you need, grab the SA's token >> and use it. That gives you a long-lived, revocable token to avoid >> annoyances like that. >> >> On Thu, Jan 21, 2016 at 8:23 AM, Philippe Lafoucrière < >> [email protected]> wrote: >> >>> Hi, >>> >>> I wonder if there's a way to have tokens with different ttl in >>> openshift. >>> I have 2 use-cases where it's an issue: >>> >>> - CI: our ci server needs to be able to push image layers everyday, >>> obviously >>> - Pruner: we have a dedicated user for that, and of course, after a few >>> days: >>> >>> $ /bin/oadm prune images --keep-tag-revisions=3 --keep-younger-than=60m >>> --confirm >>> Error from server: the server has asked for the client to provide >>> credentials >>> >>> Thanks >>> Philippe >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > Gilbert Roulot >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
