Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OLM complains with "Policy rule not satisfied for service account" #724

Closed
leseb opened this issue Feb 25, 2019 · 5 comments
Closed

OLM complains with "Policy rule not satisfied for service account" #724

leseb opened this issue Feb 25, 2019 · 5 comments

Comments

@leseb
Copy link
Contributor

leseb commented Feb 25, 2019

I built OLM with minikube using make run-local, then I injected "manually" the CRDs, serviceaccounts, roles, rolebindings.

OLM complains with Policy rule not satisfied for service account even resources are present.
This is one of the errors, I have 3 serviceaccounts and I see the same message:

  - dependents:
    - group: rbac.authorization.k8s.io
      kind: PolicyRule
      message: cluster rule:{"verbs":["get","list","watch","create","update","delete"],"apiGroups":[""],"resources":["configmaps"]}
      status: NotSatisfied
      version: v1beta1
    group: ""
    kind: ServiceAccount
    message: Policy rule not satisfied for service account
    name: rook-ceph-osd
    status: PresentNotSatisfied
    version: v1

However, the service account is present in the local namespace:

$ kubectl -n local get serviceaccount rook-ceph-osd -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2019-02-25T08:23:41Z
  labels:
    operator: rook
    storage-backend: ceph
  name: rook-ceph-osd
  namespace: local
  resourceVersion: "404764"
  selfLink: /api/v1/namespaces/local/serviceaccounts/rook-ceph-osd
  uid: a85a87c9-38d6-11e9-bed6-f06b275bb031
secrets:
- name: rook-ceph-osd-token-px7zl

As well as the role:

kubectl -n local get role rook-ceph-osd -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: 2019-02-25T08:23:52Z
  name: rook-ceph-osd
  namespace: local
  resourceVersion: "404807"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/local/roles/rook-ceph-osd
  uid: af32366f-38d6-11e9-bed6-f06b275bb031
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

And the bindings:

kubectl -n local get rolebindings rook-ceph-osd -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: 2019-02-25T08:23:52Z
  name: rook-ceph-osd
  namespace: local
  resourceVersion: "404804"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/local/rolebindings/rook-ceph-osd
  uid: af1b103f-38d6-11e9-bed6-f06b275bb031
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rook-ceph-osd
subjects:
- kind: ServiceAccount
  name: rook-ceph-osd
  namespace: local

Here is my CSV:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  creationTimestamp: null
  name: rook.v0.1.0
  namespace: placeholder
spec:
  displayName: rook
  description: |
      Rook: Storage Orchestration for Kubernetes

      Rook runs as a cloud-native service for optimal integration with applications in need of storage, and handles the heavy-lifting behind the scenes such as provisioning and management.      ## Before Your Start
      Rook orchestrates battle-tested open-source storage technologies including Ceph, which has years of production deployments and runs some of the worlds largest clusters.
      Rook is open source software released under the Apache 2.0 license. Rook has an active developer and user community.

  keywords: ['rook', 'ceph', 'storage', 'object storage', 'open source']
  version: 0.1.0
  minKubeVersion: 1.11.0
  maturity: alpha
  maintainers:
  - name: Red Hat, Inc.
    email: customerservice@redhat.com
  provider:
    name: Red Hat, Inc.
  labels:
    alm-owner-etcd: etcdoperator
    operated-by: rookoperator
  selector:
    matchLabels:
      alm-owner-etcd: etcdoperator
      operated-by: rookoperator
  links:
  - name: Blog
    url: https://blog.rook.io
  - name: Documentation
    url: https://rook.github.io/docs/rook/master/
  - name: rook Operator Source Code
    url: https://github.com/rook/rook/tree/master/pkg/operator/ceph

  icon:
  - base64data: #TODO
    mediatype: image/png
  apiservicedefinitions: {}
  customresourcedefinitions:
    owned:
    - kind: CephCluster
      name: cephclusters.ceph.rook.io
      version: v1
      displayName: Ceph Cluster
      description: Represents a Ceph cluster.
    - kind: CephBlockPool
      name: cephblockpools.ceph.rook.io
      version: v1
      displayName: Ceph Block Pool
      description: Represents a Ceph Block Pool.
    - kind: CephFilesystem
      name: cephfilesystems.ceph.rook.io
      version: v1
      displayName: Ceph Filesystem
      description: Represents a Ceph Filesystem.
    - kind: CephNFS
      name: cephnfses.ceph.rook.io
      version: v1
      displayName: Ceph NFS
      description: Represents a Ceph NFS interface.
    - kind: CephObjectStore
      name: cephobjectstores.ceph.rook.io
      version: v1
      displayName: Ceph Object Store
      description: Represents a Ceph Object Store.
    - kind: CephObjectStoreUser
      name: cephobjectstoreusers.ceph.rook.io
      version: v1
      displayName: Ceph Object Store User
      description: Represents a Ceph Object Store User.
    - kind: Volume
      name: volumes.rook.io
      version: v1alpha2
      displayName: Ceph Volume
      description: Represents a Ceph volume.
  installModes:
  - type: OwnNamespace
    supported: true
  - type: SingleNamespace
    supported: true
  - type: MultiNamespace
    supported: false
  - type: AllNamespaces
    supported: true
  install:
    spec:
      deployments:
      - name: rook-ceph-operator
        spec:
          replicas: 1
          selector: null # Not supported?
          strategy: {}
          template:
            metadata:
              creationTimestamp: null
              labels:
                app: rook-ceph-operator
            spec:
              containers:
              - args:
                - ceph
                - operator
                env:
                - name: ROOK_ALLOW_MULTIPLE_FILESYSTEMS
                  value: "false"
                - name: ROOK_LOG_LEVEL
                  value: INFO
                - name: ROOK_MON_HEALTHCHECK_INTERVAL
                  value: 45s
                - name: ROOK_MON_OUT_TIMEOUT
                  value: 300s
                - name: ROOK_DISCOVER_DEVICES_INTERVAL
                  value: 60m
                - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
                  value: "false"
                - name: ROOK_ENABLE_SELINUX_RELABELING
                  value: "true"
                - name: ROOK_ENABLE_FSGROUP
                  value: "true"
                - name: NODE_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: spec.nodeName
                - name: POD_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.name
                - name: POD_NAMESPACE
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.namespace
                image: rook/ceph:master
                name: rook-ceph-operator
                resources: {}
                volumeMounts:
                - mountPath: /var/lib/rook
                  name: rook-config
                - mountPath: /etc/ceph
                  name: default-config-dir
              serviceAccountName: rook-ceph-system
              volumes:
              - emptyDir: {}
                name: rook-config
              - emptyDir: {}
                name: default-config-dir
      permissions:
      - rules:
        - apiGroups:
          - ""
          resources:
          - configmaps
          verbs:
          - get
          - list
          - watch
          - create
          - update
          - delete
        serviceAccountName: rook-ceph-osd
      - rules:
        - apiGroups:
          - ""
          resources:
          - pods
          - services
          - configmaps
          - nodes
          - nodes/proxy
          verbs:
          - get
          - list
          - watch
        - apiGroups:
          - batch
          resources:
          - jobs
          verbs:
          - get
          - list
          - watch
          - create
          - update
          - delete
        - apiGroups:
          - ceph.rook.io
          resources:
          - '*'
          verbs:
          - '*'
        serviceAccountName: rook-ceph-mgr
      - rules:
        - apiGroups:
          - ""
          resources:
          - pods
          - configmaps
          - events
          - persistentvolumes
          - persistentvolumeclaims
          - endpoints
          - secrets
          - pods/log
          - services
          verbs:
          - get
          - list
          - watch
          - patch
          - create
          - update
          - delete
        - apiGroups:
          - apps
          resources:
          - daemonsets
          - replicasets
          - deployments
          verbs:
          - get
          - list
          - watch
          - create
          - update
          - delete
        - apiGroups:
          - ""
          resources:
          - nodes
          - nodes/proxy
          verbs:
          - get
          - list
          - watch
        - apiGroups:
          - storage.k8s.io
          resources:
          - storageclasses
          verbs:
          - get
          - list
          - watch
        - apiGroups:
          - batch
          resources:
          - jobs
          verbs:
          - get
          - list
          - watch
          - create
          - update
          - delete
        - apiGroups:
          - ceph.rook.io
          resources:
          - '*'
          verbs:
          - '*'
        - apiGroups:
          - rook.io
          resources:
          - '*'
          verbs:
          - '*'
        serviceAccountName: rook-ceph-system
    strategy: deployment

Am I missing something obvious?
Thanks in advance for your help.
@ecordell
Copy link
Member

What namespace is the CSV in?

Could you try putting SA/Role/RoleBinding/CSV in local-operators instead of local?

@leseb
Copy link
Contributor Author

leseb commented Feb 27, 2019

Ok let me try that.

@leseb
Copy link
Contributor Author

leseb commented Feb 27, 2019

Same issue if I put everything in the local-operators namespace.

@ecordell
Copy link
Member

Sorry for the radio silence @leseb -

  1. I installed OLM locally (with make run-local) and used the CSV above.
  2. In the status, I saw all of the expected messages about missing requirements
  3. I created the serviceaccount, role, and rolebinding that you have here for rook-ceph-osd

Then I looked at the status again and saw the requirement for that serviceaccount, which was previously unsatisfied, correctly flip to Satisfied and Present:

  - dependents:
    - group: rbac.authorization.k8s.io
      kind: PolicyRule
      message: namespaced rule:{"verbs":["get","list","watch","create","update","delete"],"apiGroups":[""],"resources":["configmaps"]}
      status: Satisfied
      version: v1beta1
    group: ""
    kind: ServiceAccount
    message: ""
    name: rook-ceph-osd
    status: Present
    version: v1

There were many additional requirements not met, but those should be able to be satisfied similarly.

@leseb
Copy link
Contributor Author

leseb commented Mar 12, 2019

Ok so I've been able to unlock this. The issue was that I had set clusterPermission instead permissions due a CSV for OCP. Moving on now...

@leseb leseb closed this as completed Mar 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ecordell @leseb