View Issue Details

IDProjectCategoryView StatusLast Update
0015363BuildsysCi.centos.org Ecosystem Testingpublic2018-10-15 14:25
ReporterMartin.Pitt 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionreopened 
Summary0015363: system:serviceaccount:cockpit:create-job cannot create jobs
DescriptionIn https://bugs.centos.org/view.php?id=15071 I asked for a "create-jobs" service account in the "cockpit" project. Unfortunately I had a lot of higher-priority things to do since then, but now I'm getting back to this topic. It turns out that with the YAML I provided, that service account cannot actually create jobs:
```
$ oc create -f test-job.yaml
Error from server (Forbidden): error when creating "j": User "system:serviceaccount:cockpit:create-job" cannot create jobs.batch in project "cockpit"

$ oc auth can-i create jobs
no - User "system:serviceaccount:cockpit:create-job" cannot create jobs.batch in project "cockpit"
```

The job-creator role looks like this:
```
- kind: Role
  apiVersion: v1
  metadata:
    namespace: cockpit
    name: job-creator
  rules:
    apiGroups: []
    resources: ["jobs"]
    verbs: ["create", "list", "delete"]
```

This is rather poorly documented, but can we please try this again with

    resources: ["jobs", "jobs.batch"]

? Maybe "jobs.batch" is enough.

Thanks, and sorry for the trouble!
TagsNo tags attached.

Activities

bstinson

bstinson

2018-10-10 04:21

administrator   ~0032891

Applied.

Let me know how it works.
Martin.Pitt

Martin.Pitt

2018-10-10 15:14

reporter   ~0032901

Still the same error as before. I'm trying this in "oc rsh release-webhook-wqzsr" in the cockpit project, which I just freshly spawned, so it should have picked up your changes.

sh-4.4$ oc whoami
system:serviceaccount:cockpit:create-job
sh-4.4$ oc auth can-i create jobs
no - User "system:serviceaccount:cockpit:create-job" cannot create jobs.batch in project "cockpit"

I also tried with an actual job YAML, but the error is exactly the same, so "can-i" is supposedly enough to test this:

sh-4.4$ cat << EOF | oc create -f -
apiVersion: batch/v1
kind: Job
metadata:
  name: test
spec:
  template:
    spec:
      containers:
        - name: test
          image: busybox
          command: [ "sleep", "60" ]
EOF

Error from server (Forbidden): error when creating "STDIN": User "system:serviceaccount:cockpit:create-job" cannot create jobs.batch in project "cockpit"
Martin.Pitt

Martin.Pitt

2018-10-10 15:28

reporter   ~0032903

I'm comparing "oc policy can-i --list" from my own mpitt user with the service account.

job-creator:

VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[create delete list] [] [] [] [jobs]
[create delete list] [] [] [] [jobs.batch]

mpitt:
VERBS NON-RESOURCE URLS RESOURCE NAMES API GROUPS RESOURCES
[create delete deletecollection get list patch update watch] [] [] [batch] [cronjobs]
[create delete deletecollection get list patch update watch] [] [] [batch] [jobs]
[create delete deletecollection get list patch update watch] [] [] [batch] [scheduledjobs]
[create delete deletecollection get list patch update watch] [] [] [extensions] [jobs]

So the "jobs.batch" resource entry was most probably unnecessary. However, the difference that stands out is the "API GROUP". So how about this instead:

- kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    namespace: cockpit
    name: job-creator
  rules:
    apiGroups: ["", "batch"] # "" indicates the core API group
    resources: ["jobs"]
    verbs: ["create", "list", "delete", "watch"]

This also adds the "watch" verb, which sounds useful and harmless.
Martin.Pitt

Martin.Pitt

2018-10-10 15:32

reporter   ~0032904

FTR, this explains it somewhat: https://docs.openshift.com/container-platform/3.6/admin_guide/manage_authorization_policy.html#manage-authorization-policy-creating-local-role
bstinson

bstinson

2018-10-11 19:37

administrator   ~0032913

Applied, let's try one more time.
Martin.Pitt

Martin.Pitt

2018-10-12 05:57

reporter   ~0032917

Thanks, that did it! \o/

$ oc whoami; oc auth can-i create jobs
system:serviceaccount:cockpit:create-job
yes

Every politician would be envious now! :-)

I also created an actual job, works fine.

Issue History

Date Modified Username Field Change
2018-10-09 19:10 Martin.Pitt New Issue
2018-10-10 04:21 bstinson Status new => resolved
2018-10-10 04:21 bstinson Resolution open => fixed
2018-10-10 04:21 bstinson Note Added: 0032891
2018-10-10 15:12 bstinson Status resolved => new
2018-10-10 15:12 bstinson Resolution fixed => reopened
2018-10-10 15:14 Martin.Pitt Note Added: 0032901
2018-10-10 15:28 Martin.Pitt Note Added: 0032903
2018-10-10 15:32 Martin.Pitt Note Added: 0032904
2018-10-11 19:37 bstinson Status new => feedback
2018-10-11 19:37 bstinson Note Added: 0032913
2018-10-12 05:57 Martin.Pitt Note Added: 0032917
2018-10-12 05:57 Martin.Pitt Status feedback => assigned
2018-10-15 14:25 bstinson Status assigned => resolved