Deployer service role Faied to execute Migration

byLiveStream -
0






Error:
Faied to execute Migration operation since user cannot get replicationcontrollers.

Resolution
Projects should be created using the ProjectRequest API. If it was not, you'll need to create the following role bindings within the project:

Raw
# Add `deployer` serviceaccount to `system:deployer` role
$ oc -n <project> adm policy add-role-to-user -z deployer system:deployer

# Add `builder` serviceaccount to `system:image-builder` role
$ oc -n <project> adm policy add-role-to-user -z builder system:image-builder

# Add `system:serviceaccounts:<project>` group  to `system:image-puller` role
$ oc -n <project> adm policy add-role-to-group system:image-puller system:serviceaccounts:<project>
Root Cause
Role bindings missing for deployer Service Account.
 

error: couldn't get deployment identity-management-1: User "system:serviceaccount:myproject:deployer" cannot get replicationcontrollers in project "myproject" 
 
 
 
 
Resolution
Projects should be created using the ProjectRequest API. If it was not, you'll need to create the following role bindings within the project:


# Add `deployer` serviceaccount to `system:deployer` role
$ oc -n <project> adm policy add-role-to-user -z deployer system:deployer

# Add `builder` serviceaccount to `system:image-builder` role
$ oc -n <project> adm policy add-role-to-user -z builder system:image-builder

# Add `system:serviceaccounts:<project>` group  to `system:image-puller` role
$ oc -n <project> adm policy add-role-to-group system:image-puller system:serviceaccounts:<project>
Root Cause
Role bindings missing for deployer Service Account.
 

oc adm policy add-role-to-user -z deployer system:deployer -n myproject
role "system:deployer" added: "deployer"
[root@node-2-1 ~]# oc adm policy add-role-to-user -z builder system:deployer -n myproject
role "system:deployer" added: "builder"
[root@node-2-1 ~]# oc adm policy add-role-to-user -^Cbuilder system:deployer -n myproject
[root@node-2-1 ~]# oc adm policy add-role-to-group system:image-puller system:serviceaccounts:myproject -n myproject


 
Basically if the namespace is not created with the ProjectRequest API in earlier versions of Openshift the default rolebindings do not get created.
 

 

 

Service Account cannot get deployment

Environment

  • OpenShift Container Platform
    • 3.7
    • 1.5

Issue

Receieving a message similar to the following when attempting a deployment.
error: couldn't get deployment <deployment>: User "system:serviceaccount:<service account>:deployer" cannot get replicationcontrollers in the namespace "<namespace>": User "system:serviceaccount:<service account>:deployer" cannot get replicationcontrollers in project <project> (get replicationcontrollers <deployment>)

Resolution

Projects should be created using the ProjectRequest API. If it was not, you'll need to create the following role bindings within the project:

# Add `deployer` serviceaccount to `system:deployer` role
$ oc -n <project> adm policy add-role-to-user -z deployer system:deployer

# Add `builder` serviceaccount to `system:image-builder` role
$ oc -n <project> adm policy add-role-to-user -z builder system:image-builder

# Add `system:serviceaccounts:<project>` group  to `system:image-puller` role
$ oc -n <project> adm policy add-role-to-group system:image-puller system:serviceaccounts:<project>

Root Cause

Role bindings missing for deployer Service Account.
Tags:

Post a Comment

Previous Post Next Post