Entando operator installation in openshift

Testing, Deployment, and Operations
#1

Can you please help me solve this permission issue ?

forbidden: User “system:serviceaccount:gbditmft-sit:entando-operator” cannot list resource “customresourcedefinitions” in API group “apiextensions.k8s.io” at the cluster scope.

            at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:583)

I tried the below – created a new clusterrole, role binded to the service account, but still not able to grant the required privilege to entando-operator service account !!!

#2

af71194@LC02CHB58MD6R entando % oc describe sa entando-operator

Name: entando-operator

Namespace: gbditmft-sit

Labels: operators.coreos.com/entando-k8s-operator.gbditmft-sit=

Annotations:

Image pull secrets: entando-operator-dockercfg-j4bf5

Mountable secrets: entando-operator-token-6gfr6

                 entando-operator-dockercfg-j4bf5

Tokens: entando-operator-token-6gfr6

                 entando-operator-token-bhkcg

Events:

af71194@LC02CHB58MD6R entando % oc describe clusterrolebinding entando-rolebinding

Name: entando-rolebinding

Labels:

Annotations:

Role:

Kind: ClusterRole

Name: entando-role

Subjects:

Kind Name Namespace

ServiceAccount entando-operator gbditmft-sit

af71194@LC02CHB58MD6R entando % oc describe clusterrole entando-role

Name: entando-role

Labels:

Annotations:

PolicyRule:

Resources Non-Resource URLs Resource Names Verbs

customresourcedefinitions [] [] [list]

af71194@LC02CHB58MD6R entando % kubectl auth can-i --as=entando-operator list customresourcedefinitions

Warning: resource ‘customresourcedefinitions’ is not namespace scoped in group ‘apiextensions.k8s.io

no

#3

Hi there,

Version 6.3.2 of the Entando Operator should not need to list CustomResourceDefinitions, so there may be an issue with the version of the image being loaded. Can you perhaps attach the entire stack trace, please?

KR
Ampie

#4

Hi, @ckvtvm. Welcome to the Entando Forum! It looks like you also opened an issue over here related to this topic - https://github.com/entando-k8s/entando-k8s-controller-coordinator/issues/76#issue-933938932.

Could you please describe the steps you took to get to this point, e.g. the operator install from OperatorHub per https://dev.entando.org/v6.3.2/tutorials/devops/installation/open-shift/openshift-install-by-operator-hub.html#overview or the manual steps per https://dev.entando.org/v6.3.2/tutorials/devops/installation/open-shift/openshift-install.html?

Thanks,
Nathan

#5

Good observation. My operator installation failed in openshift environment as entando-k8s-controller-coordinator image is not available in red hat registry, so I changed the image to entando/entando-k8s-controller-coordinator:0.0.0-SNAPSHOT-PR-75-37 available in dockerhub.

I have only the below images available in red hat image repo from Entando

Registry: registry.connect.redhat.com

Repository: entando/entando-431
Repository: r/entando/entando-component-manager
Repository: r/entando/entando-k8s-database-service-controller
Repository: r/entando/entando-k8s-composite-app-controller
Repository: r/entando/entando-k8s-service
Repository: entando/entando-redhat-sso
Repository: r/entando/app-builder
Repository: r/entando/entando-k8s-app-controller
Repository: r/entando/entando-k8s-app-plugin-link-controller
Repository: r/entando/entando-k8s-keycloak-controller
Repository: entando/entando-de-app-eap
Repository: entando/entando-operator
Repository: entando/entando-eap71-openshift-imagick

#6

Namespace - specific namespace
Channel - Stable
Operator version - 6.3.2-pr2 provided by Entando, Inc

PFB the event log without changing the image to docker

Failed to pull image “entando/entando-k8s-controller-coordinator@sha256:c8a93ebd69af3cf822dd7d4fcce5d4241cd8dca229c4e25c771bcfecca916839”: rpc error: code = Unknown desc = Error reading manifest sha256:c8a93ebd69af3cf822dd7d4fcce5d4241cd8dca229c4e25c771bcfecca916839 in registry.access.redhat.com/entando/entando-k8s-controller-coordinator: name unknown: Repo not found

#7

Thank you for the feedback that the entando-k8s-controller-coordinator image is not available on the Red Hat Registry. I suspect it is an unintentional side effect of how we got our images certified . We’ll have to look into a way to get it there going forward.

All the images you require are available on Docker Hub. If you follow the two installation guides Nathan referred to (https://dev.entando.org/v6.3.2/tutorials/devops/installation/open-shift/openshift-install-by-operator-hub.html#overview or
https://dev.entando.org/v6.3.2/tutorials/devops/installation/open-shift/openshift-install.html) the default behaviour would be to pull these images from Docker Hub.

Is the availability of these images on the Red Hat registry a requirement for you, or can you use Docker Hub?
Ampie

#8

I can use docker image, but i have ran into the permission issue which was elaborated at the beginning of this communication. i was replying back to the question on why I choose a different image for the installation.

#9

Hey, @ckvtvm. Could you please clarify how you wound up with the initial problem? Which guide were you following (operator vs manual), what version of OpenShift do you have, where are you hosting it (local CRC, cloud), what command did you issue that resulted in that error, etc. It sounds like you tried the Operator guide but knowing the scenario (1.1 or other) would also help.

Thanks,
Nathan

#10

I was installing the operator from operatorhub. My OCP version is 4.7 hosted in RedHat openshift container platform.

I havent issued any command, the installation fails with the absence of image and I switched to docker image for entando-k8s-controller-coordinator

I am running into the permission issue post changing the image

forbidden: User “system:serviceaccount:gbditmft-sit:entando-operator” cannot list resource “customresourcedefinitions” in API group “” at the cluster scope.

af71194@LC02CHB58MD6R entando % oc describe sa entando-operator

Name: entando-operator

Namespace: gbditmft-sit

Labels: [operators.coreos.com/entando-k8s-operator.gbditmft-sit=]

Annotations:

Image pull secrets: entando-operator-dockercfg-j4bf5

Mountable secrets: entando-operator-token-6gfr6

                 entando-operator-dockercfg-j4bf5

Tokens: entando-operator-token-6gfr6

                 entando-operator-token-bhkcg

Events:

af71194@LC02CHB58MD6R entando % oc describe clusterrolebinding entando-rolebinding

Name: entando-rolebinding

Labels:

Annotations:

Role:

Kind: ClusterRole

Name: entando-role

Subjects:

Kind Name Namespace

ServiceAccount entando-operator gbditmft-sit

af71194@LC02CHB58MD6R entando % oc describe clusterrole entando-role

Name: entando-role

Labels:

Annotations:

PolicyRule:

Resources Non-Resource URLs Resource Names Verbs

customresourcedefinitions [] [] [list]

af71194@LC02CHB58MD6R entando % kubectl auth can-i --as=entando-operator list customresourcedefinitions

Warning: resource ‘customresourcedefinitions’ is not namespace scoped in group

no

            at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:583)

I tried the below – created a new clusterrole, role binded to the service account, but still not able to grant the required privilege to entando-operator service account !!!

#11

I am using openshift 4.7 operatorhub installation . it failed on operator installation due to abence of image and i added the docker hub image, but it failed on permission issue.

I am using openshift 4.7 operatorhub installation . it failed on operator installation due to abence of image and i added the docker hub image, but it failed on permission issue.

forbidden: User “system:serviceaccount:gbditmft-sit:entando-operator” cannot list resource “customresourcedefinitions” in API group “” at the cluster scope.

af71194@LC02CHB58MD6R entando % oc describe sa entando-operator

Name: entando-operator

Namespace: gbditmft-sit

Annotations:

Image pull secrets: entando-operator-dockercfg-j4bf5

Mountable secrets: entando-operator-token-6gfr6

                 entando-operator-dockercfg-j4bf5

Tokens: entando-operator-token-6gfr6

                 entando-operator-token-bhkcg

Events:

af71194@LC02CHB58MD6R entando % oc describe clusterrolebinding entando-rolebinding

Name: entando-rolebinding

Labels:

Annotations:

Role:

Kind: ClusterRole

Name: entando-role

Subjects:

Kind Name Namespace

ServiceAccount entando-operator gbditmft-sit

af71194@LC02CHB58MD6R entando % oc describe clusterrole entando-role

Name: entando-role

Labels:

Annotations:

PolicyRule:

Resources Non-Resource URLs Resource Names Verbs

customresourcedefinitions [] [] [list]

af71194@LC02CHB58MD6R entando % kubectl auth can-i --as=entando-operator list customresourcedefinitions

Warning: resource ‘customresourcedefinitions’ is not namespace scoped in group

no

            at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:583)

I tried the above – created a new clusterrole, role binded to the service account, but still not able to grant the required privilege to entando-operator service account !!!

I tried the above – created a new clusterrole, role binded to the service account, but still not able to grant the required privilege to entando-operator service account !!!

#12

Hi, @ckvtvm.

Thanks for the extra information. Just to confirm, it sounds like you tried the operator install from the OperatorHub per https://dev.entando.org/v6.3.2/tutorials/devops/installation/open-shift/openshift-install-by-operator-hub.html#overview. Is that correct? Those initial scenarios (1.1+) do assume you’re acting as a cluster admin.

We’re trying to figure out how to reproduce what you ran into and it may be more efficient to jump on a call/screenshare to pin down the exact steps since the error you saw is unusual.

Thanks,
Nathan

#13

Yes, thats correct. I am a cluster admin

Do you think the docker hub image is creating problem , we can set up a teams call / screen share depending on your availability.