Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

asb_last_operation fails without special permissions #19

Open
jmrodri opened this issue May 24, 2018 · 6 comments
Open

asb_last_operation fails without special permissions #19

jmrodri opened this issue May 24, 2018 · 6 comments
Labels
bug enhancement

Comments

@jmrodri
Copy link
Contributor

jmrodri commented May 24, 2018
edited
Loading

While trying to test sbcli using APBs in OpenShift online, we don't seem to have permissions to update the pod label. The last operation should do one of the following:

  1. if it gets an error, log it but go into degraded mode and no longer update the status
  2. allow a parameter to disable it that I can pass to the apbs so I can tell it never to do that
@jmrodri
Copy link
Contributor Author

jmrodri commented May 24, 2018

@maleck13 @shawn-hurley thoughts?

@jmrodri
Copy link
Contributor Author

jmrodri commented May 24, 2018 

TASK [postgresql-apb : Update last operation] **********************************                                                            
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error attempting to update pod with last operation annotation: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Date': 'Thu, 24 May 2018 15:09:11 GMT', 'Content-Length': '369', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'})\nHTTP response body: {\n  \"kind\": \"Status\",\n  \"apiVersion\": \"v1\",\n  \"metadata\": {},\n  \"status\": \"Failure\",\n  \"message\": \"pods \\\"bundle-7b12b4e7-fca7-4fe4-94c0-ade0d0825a0b\\\" is forbidden: unable to validate against any security context constraint: []\",\n  \"reason\": \"Forbidden\",\n  \"details\": {\n    \"name\": \"bundle-7b12b4e7-fca7-4fe4-94c0-ade0d0825a0b\",\n    \"kind\": \"pods\"\n  },\n  \"code\": 403\n}\n"}
PLAY RECAP *********************************************************************

@jmrodri
Copy link
Contributor Author

jmrodri commented May 24, 2018

@djzager mentioned we could disable it with the in_cluster=false option
https://github.com/ansibleplaybookbundle/postgresql-apb/blob/master/tasks/main.yml#L6

@djzager
Copy link
Contributor

djzager commented May 24, 2018

I've seen this same thing before with travis https://travis-ci.org/ansibleplaybookbundle/hello-world-apb/jobs/365688175#L733. It's only against OpenShift 3.9, you can see the OpenShift 3.10 variant of the same test has no issues.

@maleck13
Copy link
Contributor

disabling seems reasonable. Prob should log something when it called and it is disabled to give the developer information as to why he is not seeing any updates.
For OpenShift Online the scc must not allow updates to the pod? or is it the edit role has been limited

@jmrodri
Copy link
Contributor Author

jmrodri commented May 24, 2018

@maleck13 we're going to investigate to make sure we gave the correct permissions, we might have also missed something :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmrodri @maleck13 @djzager