Syndesis: Provisioning error on openshift online
When we try to use the template based install (read no operators) on openshift online, it fails.
The installation command:
Running system command: oc new-app --template=fuse-ignite/fuse-ignite-1.6 -p ROUTE_HOSTNAME=<URL> -p OPENSHIFT_MASTER=https://api.online-stg.openshift.com -p OPENSHIFT_CONSOLE_URL=https://console.online-stg.openshift.com/console -p OPENSHIFT_PROJECT=fuseproj11926 -p OPENSHIFT_OAUTH_CLIENT_SECRET=$(oc sa get-token syndesis-oauth-client -n fuseproj11926) -p MAX_INTEGRATIONS_PER_USER=5 -p SAR_PROJECT=fuseproj11926 -n fuseproj11926
The error:
error: roles.rbac.authorization.k8s.io "camel-k" is forbidden: attempt to grant extra privileges: [{[get] [camel.apache.org] [*] [] []} {[list] [camel.apache.org] [*] [] []} {[create] [camel.apache.org] [*] [] []} {[update] [camel.apache.org] [*] [] []} {[delete] [camel.apache.org] [*] [] []} {[deletecollection] [camel.apache.org] [*] [] []} {[watch] [camel.apache.org] [*] [] []}] user=&{system:serviceaccount:openshift-infra:online-registration d9c18dbd-8dd1-11e7-ac2a-022d8035b649 [system:serviceaccounts system:serviceaccounts:openshift-infra system:authenticated] map[]} ownerrules=[{[create delete deletecollection get list patch update watch] [] [pods pods/attach pods/exec pods/portforward pods/proxy] [] []} {[create delete deletecollection get list patch update watch] [] [configmaps endpoints persistentvolumeclaims replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [] []} {[get list watch] [] [bindings events limitranges namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [] [namespaces] [] []} {[impersonate] [] [serviceaccounts] [] []} {[create delete deletecollection get list patch update watch] [apps] [deployments deployments/rollback deployments/scale replicasets replicasets/scale statefulsets] [] []} {[get list watch] [apps] [daemonsets] [] []} {[create delete deletecollection get list patch update watch] [autoscaling] [horizontalpodautoscalers] [] []} {[create delete deletecollection get list patch update watch] [batch] [cronjobs jobs] [] []} {[create delete deletecollection get list patch update watch] [extensions] [deployments deployments/rollback deployments/scale ingresses replicasets replicasets/scale replicationcontrollers/scale] [] []} {[get list watch] [extensions] [daemonsets] [] []} {[create delete deletecollection get list patch update watch] [policy] [poddisruptionbudgets] [] []} {[create] [authorization.k8s.io] [localsubjectaccessreviews] [] []} {[create delete deletecollection get list patch update watch] [rbac.authorization.k8s.io] [rolebindings roles] [] []} {[create] [apps] [daemonsets] [] []} {[delete] [apps] [daemonsets] [] []} {[deletecollection] [apps] [daemonsets] [] []} {[patch] [apps] [daemonsets] [] []} {[update] [apps] [daemonsets] [] []} {[create] [extensions] [daemonsets] [] []} {[delete] [extensions] [daemonsets] [] []} {[deletecollection] [extensions] [daemonsets] [] []} {[patch] [extensions] [daemonsets] [] []} {[update] [extensions] [daemonsets] [] []} {[create] [apps] [statefulsets/scale] [] []} {[delete] [apps] [statefulsets/scale] [] []} {[deletecollection] [apps] [statefulsets/scale] [] []} {[get] [apps] [statefulsets/scale] [] []} {[list] [apps] [statefulsets/scale] [] []} {[patch] [apps] [statefulsets/scale] [] []} {[update] [apps] [statefulsets/scale] [] []} {[watch] [apps] [statefulsets/scale] [] []} {[create] [extensions] [networkpolicies] [] []} {[delete] [extensions] [networkpolicies] [] []} {[deletecollection] [extensions] [networkpolicies] [] []} {[get] [extensions] [networkpolicies] [] []} {[list] [extensions] [networkpolicies] [] []} {[patch] [extensions] [networkpolicies] [] []} {[update] [extensions] [networkpolicies] [] []} {[watch] [extensions] [networkpolicies] [] []} {[create] [networking.k8s.io] [networkpolicies] [] []} {[delete] [networking.k8s.io] [networkpolicies] [] []} {[deletecollection] [networking.k8s.io] [networkpolicies] [] []} {[get] [networking.k8s.io] [networkpolicies] [] []} {[list] [networking.k8s.io] [networkpolicies] [] []} {[patch] [networking.k8s.io] [networkpolicies] [] []} {[update] [networking.k8s.io] [networkpolicies] [] []} {[watch] [networking.k8s.io] [networkpolicies] [] []} {[get list watch] [] [bindings events limitranges namespaces namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[create delete deletecollection get list patch update watch] [batch] [cronjobs jobs scheduledjobs] [] []} {[create delete deletecollection get list patch update watch] [extensions] [deployments deployments/rollback deployments/scale horizontalpodautoscalers jobs networkpolicies replicasets replicasets/scale replicationcontrollers/scale] [] []} {[create delete deletecollection get list patch update watch] [apps] [deployments deployments/scale deployments/status statefulsets] [] []} {[create delete deletecollection get list patch update watch] [authorization.openshift.io ] [rolebindings roles] [] []} {[create] [authorization.openshift.io ] [localresourceaccessreviews localsubjectaccessreviews subjectrulesreviews] [] []} {[create] [security.openshift.io ] [podsecuritypolicyreviews podsecuritypolicyselfsubjectreviews podsecuritypolicysubjectreviews] [] []} {[get list watch] [authorization.openshift.io ] [policies policybindings rolebindingrestrictions] [] []} {[create delete deletecollection get list patch update watch] [build.openshift.io ] [buildconfigs buildconfigs/webhooks builds] [] []} {[get list watch] [build.openshift.io ] [builds/log] [] []} {[create] [build.openshift.io ] [buildconfigs/instantiate buildconfigs/instantiatebinary builds/clone] [] []} {[update] [build.openshift.io ] [builds/details] [] []} {[admin edit view] [build.openshift.io] [jenkins] [] []} {[create delete deletecollection get list patch update watch] [apps.openshift.io ] [deploymentconfigs deploymentconfigs/scale generatedeploymentconfigs] [] []} {[create] [apps.openshift.io ] [deploymentconfigrollbacks deploymentconfigs/instantiate deploymentconfigs/rollback] [] []} {[get list watch] [apps.openshift.io ] [deploymentconfigs/log deploymentconfigs/status] [] []} {[create delete deletecollection get list patch update watch] [image.openshift.io ] [imagestreamimages imagestreammappings imagestreams imagestreams/secrets imagestreamtags] [] []} {[get list watch] [image.openshift.io ] [imagestreams/status] [] []} {[get update] [image.openshift.io ] [imagestreams/layers] [] []} {[create] [image.openshift.io ] [imagestreamimports] [] []} {[delete get patch update] [project.openshift.io ] [projects] [] []} {[get list watch] [quota.openshift.io ] [appliedclusterresourcequotas] [] []} {[create delete deletecollection get list patch update watch] [route.openshift.io ] [routes] [] []} {[create] [route.openshift.io ] [routes/custom-host] [] []} {[get list watch] [route.openshift.io ] [routes/status] [] []} {[update] [route.openshift.io ] [routes/status] [] []} {[create delete deletecollection get list patch update watch] [template.openshift.io ] [processedtemplates templateconfigs templateinstances templates] [] []} {[create delete deletecollection get list patch update watch] [build.openshift.io ] [buildlogs] [] []} {[get list watch] [] [resourcequotausages] [] []} {[create] [authorization.openshift.io ] [resourceaccessreviews subjectaccessreviews] [] []} {[create] [rbac.authorization.k8s.io] [rolebindings] [] []} {[delete] [rbac.authorization.k8s.io] [rolebindings] [] []} {[deletecollection] [rbac.authorization.k8s.io] [rolebindings] [] []} {[get] [rbac.authorization.k8s.io] [rolebindings] [] []} {[list] [rbac.authorization.k8s.io] [rolebindings] [] []} {[patch] [rbac.authorization.k8s.io] [rolebindings] [] []} {[update] [rbac.authorization.k8s.io] [rolebindings] [] []} {[watch] [rbac.authorization.k8s.io] [rolebindings] [] []} {[create] [rbac.authorization.k8s.io] [roles] [] []} {[delete] [rbac.authorization.k8s.io] [roles] [] []} {[deletecollection] [rbac.authorization.k8s.io] [roles] [] []} {[get] [rbac.authorization.k8s.io] [roles] [] []} {[list] [rbac.authorization.k8s.io] [roles] [] []} {[patch] [rbac.authorization.k8s.io] [roles] [] []} {[update] [rbac.authorization.k8s.io] [roles] [] []} {[watch] [rbac.authorization.k8s.io] [roles] [] []} {[create] [apps] [deployments/rollback] [] []} {[delete] [apps] [deployments/rollback] [] []} {[deletecollection] [apps] [deployments/rollback] [] []} {[get] [apps] [deployments/rollback] [] []} {[list] [apps] [deployments/rollback] [] []} {[patch] [apps] [deployments/rollback] [] []} {[update] [apps] [deployments/rollback] [] []} {[watch] [apps] [deployments/rollback] [] []} {[create] [apps] [replicasets] [] []} {[delete] [apps] [replicasets] [] []} {[deletecollection] [apps] [replicasets] [] []} {[get] [apps] [replicasets] [] []} {[list] [apps] [replicasets] [] []} {[patch] [apps] [replicasets] [] []} {[update] [apps] [replicasets] [] []} {[watch] [apps] [replicasets] [] []} {[create] [apps] [replicasets/scale] [] []} {[delete] [apps] [replicasets/scale] [] []} {[deletecollection] [apps] [replicasets/scale] [] []} {[get] [apps] [replicasets/scale] [] []} {[list] [apps] [replicasets/scale] [] []} {[patch] [apps] [replicasets/scale] [] []} {[update] [apps] [replicasets/scale] [] []} {[watch] [apps] [replicasets/scale] [] []} {[create] [apps] [replicationcontrollers/scale] [] []} {[delete] [apps] [replicationcontrollers/scale] [] []} {[deletecollection] [apps] [replicationcontrollers/scale] [] []} {[get] [apps] [replicationcontrollers/scale] [] []} {[list] [apps] [replicationcontrollers/scale] [] []} {[patch] [apps] [replicationcontrollers/scale] [] []} {[update] [apps] [replicationcontrollers/scale] [] []} {[watch] [apps] [replicationcontrollers/scale] [] []} {[get] [apps] [daemonsets] [] []} {[list] [apps] [daemonsets] [] []} {[watch] [apps] [daemonsets] [] []} {[get] [user.openshift.io ] [users] [~] []} {[list] [project.openshift.io ] [projectrequests] [] []} {[get list] [authorization.openshift.io ] [clusterroles] [] []} {[get list] [storage.k8s.io] [storageclasses] [] []} {[list watch] [project.openshift.io ] [projects] [] []} {[create] [authorization.openshift.io ] [selfsubjectrulesreviews] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [rbac.authorization.k8s.io] [clusterroles] [] []} {[list] [rbac.authorization.k8s.io] [clusterroles] [] []} {[watch] [rbac.authorization.k8s.io] [clusterroles] [] []} {[get list watch] [] [bindings componentstatuses configmaps endpoints events limitranges namespaces namespaces/status nodes nodes/status persistentvolumeclaims persistentvolumeclaims/status persistentvolumes persistentvolumes/status pods pods/binding pods/eviction pods/log pods/status podtemplates replicationcontrollers replicationcontrollers/scale replicationcontrollers/status resourcequotas resourcequotas/status securitycontextconstraints serviceaccounts services services/status] [] []} {[get list watch] [apps] [deployments deployments/scale deployments/status statefulsets statefulsets/status] [] []} {[get list watch] [autoscaling] [horizontalpodautoscalers horizontalpodautoscalers/status] [] []} {[get list watch] [batch] [cronjobs cronjobs/status jobs jobs/status scheduledjobs scheduledjobs/status] [] []} {[get list watch] [extensions] [daemonsets daemonsets/status deployments deployments/scale deployments/status horizontalpodautoscalers horizontalpodautoscalers/status ingresses ingresses/status jobs jobs/status networkpolicies podsecuritypolicies replicasets replicasets/scale replicasets/status replicationcontrollers replicationcontrollers/scale storageclasses thirdpartyresources] [] []} {[get list watch] [policy] [poddisruptionbudgets poddisruptionbudgets/status] [] []} {[get list watch] [rbac.authorization.k8s.io] [clusterrolebindings clusterroles rolebindings roles] [] []} {[get list watch] [settings.k8s.io] [podpresets] [] []} {[get list watch] [storage.k8s.io] [storageclasses] [] []} {[get list watch] [certificates.k8s.io] [certificatesigningrequests certificatesigningrequests/approval certificatesigningrequests/status] [] []} {[get list watch] [authorization.openshift.io ] [clusterpolicies clusterpolicybindings clusterrolebindings clusterroles policies policybindings rolebindingrestrictions rolebindings roles] [] []} {[get list watch] [build.openshift.io ] [buildconfigs buildconfigs/webhooks builds builds/details builds/log] [] []} {[get list watch] [apps.openshift.io ] [deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deploymentconfigs/status] [] []} {[get list watch] [image.openshift.io ] [images imagesignatures imagestreamimages imagestreams imagestreams/status imagestreamtags] [] []} {[get] [image.openshift.io ] [imagestreams/layers] [] []} {[get list watch] [oauth.openshift.io ] [oauthclientauthorizations] [] []} {[get list watch] [project.openshift.io ] [projectrequests projects] [] []} {[get list watch] [quota.openshift.io ] [appliedclusterresourcequotas clusterresourcequotas clusterresourcequotas/status] [] []} {[get list watch] [route.openshift.io ] [routes routes/status] [] []} {[get list watch] [network.openshift.io ] [clusternetworks egressnetworkpolicies hostsubnets netnamespaces] [] []} {[get list watch] [security.openshift.io ] [securitycontextconstraints] [] []} {[get list watch] [template.openshift.io ] [processedtemplates templateconfigs templateinstances templates] [] []} {[get list watch] [user.openshift.io ] [groups identities useridentitymappings users] [] []} {[create] [authorization.openshift.io ] [localresourceaccessreviews localsubjectaccessreviews resourceaccessreviews selfsubjectrulesreviews subjectaccessreviews subjectrulesreviews] [] []} {[create] [authorization.k8s.io] [localsubjectaccessreviews selfsubjectaccessreviews subjectaccessreviews] [] []} {[create] [authentication.k8s.io] [tokenreviews] [] []} {[create] [security.openshift.io ] [podsecuritypolicyreviews podsecuritypolicyselfsubjectreviews podsecuritypolicysubjectreviews] [] []} {[get] [] [nodes/metrics nodes/spec] [] []} {[create get] [] [nodes/stats] [] []} {[get] [] [] [] [*]} {[get list watch] [build.openshift.io ] [buildlogs] [] []} {[get list watch] [] [resourcequotausages] [] []} {[get] [apps] [controllerrevisions] [] []} {[list] [apps] [controllerrevisions] [] []} {[watch] [apps] [controllerrevisions] [] []} {[get] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[list] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[watch] [apiextensions.k8s.io] [customresourcedefinitions] [] []} {[get] [apiextensions.k8s.io] [customresourcedefinitions/status] [] []} {[list] [apiextensions.k8s.io] [customresourcedefinitions/status] [] []} {[watch] [apiextensions.k8s.io] [customresourcedefinitions/status] [] []} {[get] [apiregistration.k8s.io] [apiservices] [] []} {[list] [apiregistration.k8s.io] [apiservices] [] []} {[watch] [apiregistration.k8s.io] [apiservices] [] []} {[get] [apiregistration.k8s.io] [apiservices/status] [] []} {[list] [apiregistration.k8s.io] [apiservices/status] [] []} {[watch] [apiregistration.k8s.io] [apiservices/status] [] []} {[get] [networking.k8s.io] [networkpolicies] [] []} {[list] [networking.k8s.io] [networkpolicies] [] []} {[watch] [networking.k8s.io] [networkpolicies] [] []} {[get] [] [brokertemplateinstances] [] []} {[list] [] [brokertemplateinstances] [] []} {[watch] [] [brokertemplateinstances] [] []} {[get] [] [templateinstances/status] [] []} {[list] [] [templateinstances/status] [] []} {[watch] [] [templateinstances/status] [] []} {[get] [template.openshift.io] [brokertemplateinstances] [] []} {[list] [template.openshift.io] [brokertemplateinstances] [] []} {[watch] [template.openshift.io] [brokertemplateinstances] [] []} {[get] [template.openshift.io] [templateinstances/status] [] []} {[list] [template.openshift.io] [templateinstances/status] [] []} {[watch] [template.openshift.io] [templateinstances/status] [] []} {[get] [apps] [daemonsets] [] []} {[list] [apps] [daemonsets] [] []} {[watch] [apps] [daemonsets] [] []} {[get] [apps] [daemonsets/status] [] []} {[list] [apps] [daemonsets/status] [] []} {[watch] [apps] [daemonsets/status] [] []} {[get] [apps] [replicasets] [] []} {[list] [apps] [replicasets] [] []} {[watch] [apps] [replicasets] [] []} {[get] [apps] [replicasets/scale] [] []} {[list] [apps] [replicasets/scale] [] []} {[watch] [apps] [replicasets/scale] [] []} {[get] [apps] [replicasets/status] [] []} {[list] [apps] [replicasets/status] [] []} {[watch] [apps] [replicasets/status] [] []} {[get] [apps] [statefulsets/scale] [] []} {[list] [apps] [statefulsets/scale] [] []} {[watch] [apps] [statefulsets/scale] [] []} {[create] [authorization.k8s.io] [selfsubjectrulesreviews] [] []} {[get] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[list] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[watch] [admissionregistration.k8s.io] [mutatingwebhookconfigurations] [] []} {[get] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []} {[list] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []} {[watch] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []} {[get] [events.k8s.io] [events] [] []} {[list] [events.k8s.io] [events] [] []} {[watch] [events.k8s.io] [events] [] []} {[get] [policy] [podsecuritypolicies] [] []} {[list] [policy] [podsecuritypolicies] [] []} {[watch] [policy] [podsecuritypolicies] [] []} {[get] [storage.k8s.io] [volumeattachments] [] []} {[list] [storage.k8s.io] [volumeattachments] [] []} {[watch] [storage.k8s.io] [volumeattachments] [] []} {[get] [security.openshift.io] [rangeallocations] [] []} {[list] [security.openshift.io] [rangeallocations] [] []} {[watch] [security.openshift.io] [rangeallocations] [] []} {[get] [scheduling.k8s.io] [priorityclasses] [] []} {[list] [scheduling.k8s.io] [priorityclasses] [] []} {[watch] [scheduling.k8s.io] [priorityclasses] [] []} {[get list watch] [] [configmaps endpoints persistentvolumeclaims pods replicationcontrollers replicationcontrollers/scale serviceaccounts services] [] []} {[get list watch] [] [bindings events limitranges namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [] [namespaces] [] []} {[get list watch] [apps] [daemonsets deployments deployments/scale replicasets replicasets/scale statefulsets] [] []} {[get list watch] [autoscaling] [horizontalpodautoscalers] [] []} {[get list watch] [batch] [cronjobs jobs] [] []} {[get list watch] [extensions] [daemonsets deployments deployments/scale ingresses replicasets replicasets/scale replicationcontrollers/scale] [] []} {[get list watch] [policy] [poddisruptionbudgets] [] []} {[get] [extensions] [networkpolicies] [] []} {[list] [extensions] [networkpolicies] [] []} {[watch] [extensions] [networkpolicies] [] []} {[get list watch] [] [configmaps endpoints persistentvolumeclaims pods replicationcontrollers serviceaccounts services] [] []} {[get list watch] [] [bindings events limitranges namespaces namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [batch] [cronjobs jobs scheduledjobs] [] []} {[get list watch] [extensions] [deployments deployments/scale horizontalpodautoscalers jobs replicasets replicasets/scale] [] []} {[get list watch] [extensions] [daemonsets] [] []} {[get list watch] [apps] [deployments deployments/scale statefulsets] [] []} {[get list watch] [build.openshift.io ] [buildconfigs buildconfigs/webhooks builds] [] []} {[get list watch] [build.openshift.io ] [builds/log] [] []} {[view] [build.openshift.io] [jenkins] [] []} {[get list watch] [apps.openshift.io ] [deploymentconfigs deploymentconfigs/scale] [] []} {[get list watch] [apps.openshift.io ] [deploymentconfigs/log deploymentconfigs/status] [] []} {[get list watch] [image.openshift.io ] [imagestreamimages imagestreammappings imagestreams imagestreamtags] [] []} {[get list watch] [image.openshift.io ] [imagestreams/status] [] []} {[get] [project.openshift.io ] [projects] [] []} {[get list watch] [quota.openshift.io ] [appliedclusterresourcequotas] [] []} {[get list watch] [route.openshift.io ] [routes] [] []} {[get list watch] [route.openshift.io ] [routes/status] [] []} {[get] [] [] [] [/healthz /healthz/*]} {[get] [] [] [] [/.well-known /.well-known/* /api /api/* /apis /apis/* /oapi /oapi/* /osapi /osapi/ /swagger.json /swaggerapi /swaggerapi/* /version /version/*]} {[get] [] [] [] [/]} {[get] [] [] [] [/swagger-2.0.0.pb-v1]} {[get] [] [] [] [/openapi/v2]} {[create delete get list update watch] [ user.openshift.io] [identities useridentitymappings users] [] []} {[create delete get list update watch] [ quota.openshift.io] [clusterresourcequotas] [] []} {[delete get list patch watch] [] [namespaces] [] []} {[delete deletecollection get list watch] [ oauth.openshift.io] [oauthaccesstokens oauthclientauthorizations] [] []} {[impersonate] [ user.openshift.io] [groups users] [] []} {[create delete get list patch update watch] [] [resourcequotas] [] []} {[create] [ project.openshift.io] [projectrequests] [] []} {[patch update] [ authorization.openshift.io] [rolebindingrestrictions] [] []} {[create] [authorization.openshift.io ] [selfsubjectrulesreviews] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[create] [project.openshift.io ] [projectrequests] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[create] [authorization.k8s.io] [selfsubjectrulesreviews] [] []} {[create] [build.openshift.io ] [builds/jenkinspipeline] [] []} {[create] [build.openshift.io ] [builds/source] [] []} {[get] [] [] [] [/.well-known /.well-known/* /api /api/* /apis /apis/* /oapi /oapi/* /osapi /osapi/ /swagger.json /swaggerapi /swaggerapi/* /version /version/*]} {[get] [] [] [] [/]} {[get] [] [] [] [/swagger-2.0.0.pb-v1]} {[get] [] [] [] [/openapi/v2]} {[get] [] [] [] [/healthz]} {[get] [] [] [] [/openapi]} {[get] [] [] [] [/openapi/*]} {[get] [] [] [] [/.well-known /.well-known/* /api /api/* /apis /apis/* /oapi /oapi/* /osapi /osapi/ /swagger.json /swaggerapi /swaggerapi/* /version /version/*]} {[get] [] [] [] [/]} {[get] [] [] [] [/swagger-2.0.0.pb-v1]} {[get] [] [] [] [/openapi/v2]} {[get] [] [] [] [/healthz]} {[get] [] [] [] [/openapi]} {[get] [] [] [] [/openapi/*]} {[delete] [oauth.openshift.io ] [oauthaccesstokens oauthauthorizetokens] [] []} {[get] [] [] [] [/version /version/* /api /api/* /apis /apis/* /oapi /oapi/* /openapi/v2 /swaggerapi /swaggerapi/* /swagger.json /swagger-2.0.0.pb-v1 /osapi /osapi/ /.well-known /.well-known/* /]} {[impersonate] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io] [] []} {[create get] [build.openshift.io ] [buildconfigs/webhooks] [] []}] ruleResolutionErrors=[]
**error: roles.rbac.authorization.k8s.io "camel-k" not found**
heiko-braun
All 9 comments
Does error: roles.rbac.authorization.k8s.io "camel-k" not found mean we miss a setup step in the template based install?
heiko-braun
on 12 Apr 2019
It seems like a privileges escalation issue. From the error, it looks like the user system:serviceaccounts:openshift-infra may be used by OpenShift online to instantiate the template.
While the user system:serviceaccounts:openshift-infra seems to be granted permission to create a role object (from the error message), it is not sufficient.
As documented in https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping, the user creating the role must either:
- Already have all the permissions contained in the role, at the same scope as the object being modified, which is not the case for Camel K resources
- Or be given explicit permission to perform the
escalateverb on the roles resource in therbac.authorization.k8s.ioAPI group (Kubernetes 1.12 and newer), which is likely not the case
astefanutti
on 12 Apr 2019
I think that adding the following resource before the installation solves the problem (not sure, cc @astefanutti):
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k:edit
labels:
app: "camel-k"
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["camel.apache.org"]
resources: ["*"]
verbs: ["*"]
But since we're talking about openshift-online, so "no cluster-admin rights", we should just remove references to camel k in the template before adding it.
Obviously, since camel k is an operator, it won't work.
nicolaferraro
on 12 Apr 2019
👍1
Something like this: https://github.com/syndesisio/fuse-online-install/compare/1.6.x...nicolaferraro:no-camel-k-patch?expand=1
The first error you get @heiko-braun should be related to the permissions we mentioned. The second is for the role-binding that refers a non existing role.. so, even without this patch (that should remove the errors during creation), the installation should be working correctly.
nicolaferraro
on 12 Apr 2019
Thanks for your feedback @nicolaferraro. I have been talking to @astefanutti and we came to the same conclusion: The most simple way would be to remove the camel-k rolebindings from the template in fuse-online-install itself, ideally within the release script, after the template got extracted form the operator image: https://github.com/syndesisio/fuse-online-install/blob/1.6.9/release.sh#L219
heiko-braun
on 12 Apr 2019
Cannot find a way to do it automatically in release... other than the following dirty hack:
sed -i '/Camel-K/,/apiGroup: rbac.authorization.k8s.io/d' ./resources/fuse-online-template.yml
@lgarciaaco ^^
heiko-braun
on 12 Apr 2019
👍1
I see a tendency to add hacky hacks around the install scripts that are going to be a nightmare to maintain in the future ... I myself added few :D
lgarciaaco
on 12 Apr 2019
yes, this should need to be cleaned up
heiko-braun
on 12 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
blaggacao
路
5Comments
mcoker
路
5Comments
mmelko
路
5Comments
mcada
路
5Comments
zregvart
路
4Comments