[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Binding service account to project-local roles



Try creating it without any roles already defined.  Also, the command is pretty new, but it should in master now.

On Thu, Jul 7, 2016 at 11:18 AM, Alex Wauck <alexwauck exosite com> wrote:
Also, $ROLE_PROJECT is still visible in the web UI this time, despite the fact that I recreated the policybinding.

On Thu, Jul 7, 2016 at 10:16 AM, Alex Wauck <alexwauck exosite com> wrote:
Note: $ROLE_PROJECT is the project containing the role that I want to assign to the service account in $SERVICEACCOUNT_PROJECT.

Here's the YAML I used to create the policybinding:
apiVersion: v1
kind: PolicyBinding
metadata:
  name: $ROLE_PROJECT:default
policyRef:
  name: default
  namespace: $ROLE_PROJECT
roleBindings:
- name: testing
  roleBinding:
    metadata:
      name: testing
      namespace: $ROLE_PROJECT
    roleRef:
      name: testing
      namespace: $ROLE_PROJECT
    subjects:
    - kind: ServiceAccount
      name: system:serviceaccount:$SERVICEACCOUNT_PROJECT:testing
    userNames: null

Terminal session after creating the above:
$ oc policy add-role-to-user --role-namespace=$ROLE_PROJECT testing -z testing
The RoleBinding "testing" is invalid.

* metadata.resourceVersion: Invalid value: "": must be specified for an update
* metadata.resourceVersion: Invalid value: "": must be specified for an update
$ oc project $SERVICEACCOUNT_PROJECT
Now using project "$SERVICEACCOUNT_PROJECT" on server "https://example.com:8443".
$ oc policy add-role-to-user --role-namespace=$ROLE_PROJECT testing -z testing
Error from server: policybinding "$ROLE_PROJECT:default" not found
$ oc get policybinding -n $ROLE_PROJECT
NAME                 ROLE BINDINGS                                                          LAST MODIFIED
:default             admin, system:deployers, system:image-builders, system:image-pullers   2016-06-22 01:59:45 -0500 CDT
$ROLE_PROJECT:default   testing

Looks like there's something I don't understand about policies, policy bindings, roles, service accounts, and how they all fit together.

--
Alex Wauck // DevOps Engineer

E X O S I T E 
www.exosite.com 

Making Machines More Human.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]