-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
2.15.0.GA
-
None
-
False
-
None
-
False
-
Summary
After uninstall/install of CRW
some users can work (developer), some does not work (demo)
the browser shows: POST https://<CRW_URL>/api/kubernetes/namespace/provision , 504, Gateway Time-out
the log show: [WARN ] [o.e.c.w.i.o.p.OpenShiftProject 258] - Trying to get namespace 'demo-codeready', but failed because the lack of permissions.
Relevant information
OpenShift 4.9.21
CRW: 2.15.0 (openshift-workspaces)
even when I am deleting the ns/project for the user (demo-workspaces) it does not work. ns/project will be recreated by the che SA of the openshift-workspaces NS.
the workspaces/che pod is running with che SA.
$ oc describe ns demo-codeready
Name: demo-codeready
Labels: app.kubernetes.io/component=workspaces-namespace
app.kubernetes.io/part-of=che.eclipse.org
kubernetes.io/metadata.name=demo-codeready
openshift-pipelines.tekton.dev/namespace-reconcile-version=v1.6.2
Annotations: che.eclipse.org/username: demo
openshift.io/description:
openshift.io/display-name:
openshift.io/requester: system:serviceaccount:openshift-workspaces:che
openshift.io/sa.scc.mcs: s0:c31,c30
openshift.io/sa.scc.supplemental-groups: 1000990000/10000
openshift.io/sa.scc.uid-range: 1000990000/10000
Status: Active
No resource quota.
No LimitRange resource.
$ oc get sa -n demo-codeready
NAME SECRETS AGE
builder 2 42m
che-workspace 2 41m
default 2 42m
deployer 2 42m
pipeline 2 42m
$ oc get role -n demo-codeready
NAME CREATED AT
exec 2022-03-02T10:59:08Z
workspace-configmaps 2022-03-02T10:59:22Z
workspace-metrics 2022-03-02T10:59:15Z
workspace-secrets 2022-03-02T10:59:19Z
workspace-stop 2022-03-02T10:59:26Z
workspace-view 2022-03-02T10:59:11Z
$ oc get rolebinding -n demo-codeready
NAME ROLE AGE
admin ClusterRole/admin 42m
che-workspace-configmaps Role/workspace-configmaps 41m
che-workspace-exec Role/exec 42m
che-workspace-metrics Role/workspace-metrics 42m
che-workspace-secrets Role/workspace-secrets 42m
che-workspace-stop Role/workspace-stop 41m
che-workspace-view Role/workspace-view 42m
edit ClusterRole/edit 42m
pipelines-scc-rolebinding ClusterRole/pipelines-scc-clusterrole 42m
system:deployers ClusterRole/system:deployer 42m
system:image-builders ClusterRole/system:image-builder 42m
system:image-pullers ClusterRole/system:image-puller 42m
oc get pod codeready-6c5776dcb4-5npwt -o yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: codeready
app.kubernetes.io/component: codeready
app.kubernetes.io/instance: codeready
app.kubernetes.io/managed-by: codeready-operator
app.kubernetes.io/name: codeready
app.kubernetes.io/part-of: che.eclipse.org
component: codeready
pod-template-hash: 6c5776dcb4
name: codeready-6c5776dcb4-5npwt
namespace: openshift-workspaces
spec:
containers:
- env:
- name: CHE_SELF__SIGNED__CERT
- name: CHE_GIT_SELF__SIGNED__CERT
- name: CHE_GIT_SELF__SIGNED__CERT__HOST
- name: CHE_KEYCLOAK_ADMIN__PASSWORD
valueFrom:
secretKeyRef:
key: password
name: che-identity-secret
- name: CHE_KEYCLOAK_ADMIN__USERNAME
valueFrom:
secretKeyRef:
key: user
name: che-identity-secret
- name: CM_REVISION
value: 643827193,639371786
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CHE_JDBC_USERNAME
valueFrom:
secretKeyRef:
key: user
name: che-postgres-secret
- name: CHE_JDBC_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: che-postgres-secret
envFrom:
- configMapRef:
name: che
image: registry.redhat.io/codeready-workspaces/server-rhel8@sha256:876cd78e050f8f1bede325f883a4a396fda3fc3f4fb6ae453bea453c45e42df9
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /api/system/state
port: 8080
scheme: HTTP
initialDelaySeconds: 400
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 3
name: codeready
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8000
name: http-debug
protocol: TCP
- containerPort: 8888
name: jgroups-ping
protocol: TCP
readinessProbe:
failureThreshold: 18
httpGet:
path: /api/system/state
port: 8080
scheme: HTTP
initialDelaySeconds: 25
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 512Mi
securityContext:
capabilities:
drop:
- ALL
- KILL
- MKNOD
- SETGID
- SETUID
runAsUser: 1000660000
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /public-certs
name: che-public-certs
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-6xl24
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: che-dockercfg-8r99j
nodeName: compute-2
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000660000
seLinuxOptions:
level: s0:c26,c5
serviceAccount: che
serviceAccountName: che
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
volumes:
- configMap:
defaultMode: 420
name: ca-certs-merged
name: che-public-certs
- name: kube-api-access-6xl24
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
- DevWorkspaces is not enabled.
- User demo is admin of NS demo-codeready. And the NS is created by CRW, SA: system:serviceaccount:openshift-workspaces:che
$ oc login -u demo -p openshift Login successful. You have access to the following projects and can switch between them with 'oc project <projectname>': * demo demo-codeready demo-terminal fuse-demo Using project "demo". $ oc project demo-codeready Now using project "demo-codeready" on server "https://api.ocp4.openshift.freeddns.org:6443". $ oc get rolebinding admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2022-03-02T10:58:55Z" name: admin namespace: demo-codeready resourceVersion: "643886648" uid: 6e9ed525-842b-414e-ba58-b474dc1265c4 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: demo
