I tried creating the policybinding without the roleBindings section, and that seems to have worked (after manually editing the rolebinding I created to reference the correct project for the service account; I had to run the command in the project that owned the role, so the rolebinding was for a service account of that name under the role-owning project). Neither of the projects I did this to have vanished from the web UI. I'm still not entirely sure how or why this worked.
I also noticed that I was still using the 1.1.5 client, so I upgraded to 1.2.0 to match the server. On Thu, Jul 7, 2016 at 10:39 AM, David Eads <[email protected]> wrote: > Try creating it without any roles already defined. Also, the command is > pretty new, but it should in master now. > > On Thu, Jul 7, 2016 at 11:18 AM, Alex Wauck <[email protected]> wrote: > >> Also, $ROLE_PROJECT is still visible in the web UI this time, despite the >> fact that I recreated the policybinding. >> >> On Thu, Jul 7, 2016 at 10:16 AM, Alex Wauck <[email protected]> >> wrote: >> >>> Note: $ROLE_PROJECT is the project containing the role that I want to >>> assign to the service account in $SERVICEACCOUNT_PROJECT. >>> >>> Here's the YAML I used to create the policybinding: >>> apiVersion: v1 >>> kind: PolicyBinding >>> metadata: >>> name: $ROLE_PROJECT:default >>> policyRef: >>> name: default >>> namespace: $ROLE_PROJECT >>> roleBindings: >>> - name: testing >>> roleBinding: >>> metadata: >>> name: testing >>> namespace: $ROLE_PROJECT >>> roleRef: >>> name: testing >>> namespace: $ROLE_PROJECT >>> subjects: >>> - kind: ServiceAccount >>> name: system:serviceaccount:$SERVICEACCOUNT_PROJECT:testing >>> userNames: null >>> >>> Terminal session after creating the above: >>> $ oc policy add-role-to-user --role-namespace=$ROLE_PROJECT testing -z >>> testing >>> The RoleBinding "testing" is invalid. >>> >>> * metadata.resourceVersion: Invalid value: "": must be specified for an >>> update >>> * metadata.resourceVersion: Invalid value: "": must be specified for an >>> update >>> $ oc project $SERVICEACCOUNT_PROJECT >>> Now using project "$SERVICEACCOUNT_PROJECT" on server " >>> https://example.com:8443";. >>> $ oc policy add-role-to-user --role-namespace=$ROLE_PROJECT testing -z >>> testing >>> Error from server: policybinding "$ROLE_PROJECT:default" not found >>> $ oc get policybinding -n $ROLE_PROJECT >>> NAME ROLE BINDINGS >>> LAST MODIFIED >>> :default admin, system:deployers, system:image-builders, >>> system:image-pullers 2016-06-22 01:59:45 -0500 CDT >>> $ROLE_PROJECT:default testing >>> >>> Looks like there's something I don't understand about policies, policy >>> bindings, roles, service accounts, and how they all fit together. >>> >>> -- >> >> Alex Wauck // DevOps Engineer >> >> *E X O S I T E* >> *www.exosite.com <http://www.exosite.com/>* >> >> Making Machines More Human. >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > -- Alex Wauck // DevOps Engineer *E X O S I T E* *www.exosite.com <http://www.exosite.com/>* Making Machines More Human.
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
