Question: Is it possible to create objects in openshift namespace?

[ghost]

Quite a simple question: in my APB I need to create imageStreams and buildConfigs in OpenShift namespace. I failed to find any docs on how to grant APB service account admin privileges.

Currently I see this:

fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to create object: imagestreams is forbidden: User \"system:serviceaccount:localregistry-test-prov-h8tmm:bundle-7b3a3764-f7e3-4b00-86f4-1b1bb9bcf4e2\" cannot create imagestreams in the namespace \"openshift\": User \"system:serviceaccount:localregistry-test-prov-h8tmm:bundle-7b3a3764-f7e3-4b00-86f4-1b1bb9bcf4e2\" cannot create imagestreams in project \"openshift\""}

Is there any way to grant system:serviceaccount:localregistry-test-prov-h8tmm:bundle-xxx cluster-admin role?

[djzager]

I think the primary hurdle that you will face is that the APB service account is using a RoleBinding. This means that, even if you were to grant the APB service account cluster-admin privileges (and this would involve modifying the cluster role the broker uses as well as the sandbox role), the APB would still only have these permissions over the "target" namespace.

My understanding is that the work on namespaced brokers in the service-catalog is meant to, in the future, support APBs of this kind. However, I am not aware of support from the broker to use ClusterRoleBindings (which you would need to create objects in a namespace other than the "target" namespace).

As a workaround, your APB could accept credentials as parameters. Then, in your APB you could simply authenticate with the cluster using those credentials and proceed with administrator permissions.

[ruromero]

An example:
In the apb.yml file

- name: user_token
  title: User token
  description: User token to perform privileged actions
  required: true
  type: string

Then in your playbooks/roles

- name: use token
  openshift_raw:
    api_version: v1
    api_key: "{{ user_token }}"
    state: present
    kind: namespace
    name: testproject

- name: Create image stream
  openshift_raw:
    state: present
    api_key: "{{ user_token }}"
    definition:
      apiVersion: v1
      kind: ImageStream
      namespace: openshift
      name: "my-image-stream"
      spec:
        tags:
          - name: "latest"

And then you can try out with this from the command line (if you need to):

ansible-playbook -vvv test.yaml -e user_token=`oc whoami -t`

[ghost]

@ruromero thanks. That might be a workaround in my case.

[ghost]

@djzager @ruromero

I never got to work the following task:

- name: Create image stream
  openshift_raw:
    state: present
    force: yes
    api_key: bCCdyBrug7xWdi6Mdzc4UMQMtDoOjEyd7CjmXwITfJ1
    definition:
      apiVersion: v1
      kind: ImageStream
      metadata:
        namespace: "openshift"
        name: "rhel-base-jdk8"
      spec:
        tags:
          - name: "latest"

When providing a token I get:

fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to create object: imagestreams is forbidden: User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in the namespace \"openshift\": User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in project \"openshift\""}

Same results, when having username and password.