Hi Jordan, thanks for the info, didn’t knew that, but it makes sense if you read the command line like a normal sentence. (-:
After digging a bit further I’ve found the mistake we’ve made on our side (, of course). )-: As it is quite common sadly we begun with our open shift test cluster some time ago already and left it running for the developers to experiment with while we ops got distracted by other tasks. So in the meantime the underlying os had been patched in the usual cycle, but nobody really thought about the fact that the open shift packages are updated as well and I haven’t thought about the update cycle when I began to struggle with the EFK Stack yesterday and today. In short, nobody had taken the necessary steps after an open shift upgrade and the default policy simply didn’t knew about the existence of configmaps as a valid resource type at all. I don’t know why I didn’t thought about the obvious, so I only found out after manually editing the default cluster policy and adding the configmap resource type by hand, when it began to dawn on me that lacking this type this couldn’t be quite right and that it looked like an upgrade problem. (-; Thank you and Luke Meyer very much for taking your time to help me! I hope that when we get the open shift trainings in august the user/role/policy/scc relations will all get a bit clearer for me. (-; Thanks again and kind regards, Lemmy. > Am 12.07.2016 um 16:01 schrieb Jordan Liggitt <[email protected]>: > > First, when checking permissions, resources are always plural: `oc policy > who-can list configmaps -n logging` > > The view role will grant this access (along with access to many other > non-escalating resources in the project). You can grant it like this: > > oc policy add-role-to-user view -z logging-deployer -n logging > > > > > On Tue, Jul 12, 2016 at 4:50 AM, Michael Leimenmeier <[email protected] > <mailto:[email protected]>> wrote: > Hi, > > I've tried to set up logging with the EFK stack according to the > documentation for OpenShift 3.2, but when I try to deploy the > logging-deployer pod it fails into Error status with the following error > message in the container log: > > [...] > + echo 'Attaching secrets to service accounts' > + oc secrets add serviceaccount/aggregated-logging-kibana logging-kibana > logging-kibana-proxy > + oc secrets add serviceaccount/aggregated-logging-elasticsearch > logging-elasticsearch > + oc secrets add serviceaccount/aggregated-logging-fluentd logging-fluentd > + oc secrets add serviceaccount/aggregated-logging-curator logging-curator > Deleting configmaps > + '[' -n '' ']' > + generate_configmaps > + echo 'Deleting configmaps' > + oc delete configmap -l logging-infra=support > Error from server: User "system:serviceaccount:logging:logging-deployer" > cannot list configmaps in project "logging" > > [ full output at http://pastebin.com/sUZrNX1b <http://pastebin.com/sUZrNX1b> ] > > When I take a look who is allowed to list configmaps the logging-deployer > serviceaccount is not listed: > 10:18:16 root@osmaster:~> oc policy who-can list configmap -n logging > Namespace: logging > Verb: list > Resource: configmaps > > Users: system:serviceaccount:openshift-infra:namespace-controller > > Groups: system:cluster-admins > system:masters > > But to be honest I don't have a clue how to add a verb/resource pair to a > serviceaccount. > I've tried to add the view/edit/admin roles to the serviceaccount but no luck. > > Any help would be greatly appreciated! > > Thanks and kind regards, > Lemmy. > > > _______________________________________________ > users mailing list > [email protected] <mailto:[email protected]> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > <http://lists.openshift.redhat.com/openshiftmm/listinfo/users> > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
