[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Error setting up EFK logging: Error from server: User "system:serviceaccount:logging:logging-deployer" cannot list configmaps in project "logging"

Hi Jordan,

thanks for the info, didn’t knew that, but it makes sense if you read the command line like a normal sentence. (-:

After digging a bit further I’ve found the mistake we’ve made on our side (, of course). )-:

As it is quite common sadly we begun with our open shift test cluster some time ago already and left it running for the developers to experiment with while we ops got distracted by other tasks. So in the meantime the underlying os had been patched in the usual cycle, but nobody really thought about the fact that the open shift packages are updated as well and I haven’t thought about the update cycle when I began to struggle with the EFK Stack yesterday and today.

In short, nobody had taken the necessary steps after an open shift upgrade and the default policy simply didn’t knew about the existence of configmaps as a valid resource type at all.
I don’t know why I didn’t thought about the obvious, so I only found out after manually editing the default cluster policy and adding the configmap resource type by hand, when it began to dawn on me that lacking this type this couldn’t be quite right and that it looked like an upgrade problem. (-;

Thank you and Luke Meyer very much for taking your time to help me! 

I hope that when we get the open shift trainings in august the user/role/policy/scc relations will all get a bit clearer for me. (-;

Thanks again and kind regards,

Am 12.07.2016 um 16:01 schrieb Jordan Liggitt <jliggitt redhat com>:

First, when checking permissions, resources are always plural: `oc policy who-can list configmaps -n logging`

The view role will grant this access (along with access to many other non-escalating resources in the project). You can grant it like this:

   oc policy add-role-to-user view -z logging-deployer -n logging

On Tue, Jul 12, 2016 at 4:50 AM, Michael Leimenmeier <mleimenmeier me com> wrote:

I've tried to set up logging with the EFK stack according to the documentation for OpenShift 3.2, but when I try to deploy the logging-deployer pod it fails into Error status with the following error message in the container log:

+ echo 'Attaching secrets to service accounts'
+ oc secrets add serviceaccount/aggregated-logging-kibana logging-kibana logging-kibana-proxy
+ oc secrets add serviceaccount/aggregated-logging-elasticsearch logging-elasticsearch
+ oc secrets add serviceaccount/aggregated-logging-fluentd logging-fluentd
+ oc secrets add serviceaccount/aggregated-logging-curator logging-curator
Deleting configmaps
+ '[' -n '' ']'
+ generate_configmaps
+ echo 'Deleting configmaps'
+ oc delete configmap -l logging-infra=support
Error from server: User "system:serviceaccount:logging:logging-deployer" cannot list configmaps in project "logging"

[ full output at http://pastebin.com/sUZrNX1b ]

When I take a look who is allowed to list configmaps the logging-deployer serviceaccount is not listed:
10:18:16 root osmaster:~> oc policy who-can list configmap -n logging
Namespace: logging
Verb: list
Resource: configmaps

Users: system:serviceaccount:openshift-infra:namespace-controller

Groups: system:cluster-admins

But to be honest I don't have a clue how to add a verb/resource pair to a serviceaccount.
I've tried to add the view/edit/admin roles to the serviceaccount but no luck.

Any help would be greatly appreciated!

Thanks and kind regards,

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]