cannot create events in namespace: no RBAC policy matched

[seandilda]

While running a single namespace deploy in OKD 3.11, I received this error:

I1206 16:36:51.435611       1 event.go:218] Event(v1.ObjectReference{Kind:"Route", Namespace:"sean-test", Name:"acme-test", UID:"9c7f323c-f1c3-11e8-8f91-005056a1102f", APIVersion:"route.openshift.io", ResourceVersion:"11119402", FieldPath:""}): type: 'Normal' reason: 'AcmeCertificateProvisioned' Successfully provided new certificate
E1206 16:36:51.437391       1 event.go:200] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"acme-test.156dcbb1b935bc84", GenerateName:"", Namespace:"sean-test", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, InvolvedObject:v1.ObjectReference{Kind:"Route", Namespace:"sean-test", Name:"acme-test", UID:"9c7f323c-f1c3-11e8-8f91-005056a1102f", APIVersion:"route.openshift.io", ResourceVersion:"11119402", FieldPath:""}, Reason:"AcmeCertificateProvisioned", Message:"Successfully provided new certificate", Source:v1.EventSource{Component:"openshift-acme-controller", Host:""}, FirstTimestamp:v1.Time{Time:time.Time{wall:0xbefa71e8d9ec1e84, ext:178333914359, loc:(*time.Location)(0x18fe500)}}, LastTimestamp:v1.Time{Time:time.Time{wall:0xbefa71e8d9ec1e84, ext:178333914359, loc:(*time.Location)(0x18fe500)}}, Count:1, Type:"Normal"}': 'events is forbidden: User "system:serviceaccount:sean-test:openshift-acme" cannot create events in the namespace "sean-test": no RBAC policy matched' (will not retry!)

[bverschueren]

Adding permissions to the events resource in the relevant role files (deploy/letsencrypt-*/single-namespace/role.yaml) fixes this.

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch

[seandilda]

I looked into this after posting the original issue, and I think I know why they didn't include that in the role.

The default 'admin' rbac role only allows admins to view events. rbac only allows you to assign roles when you have all the privileges in the role, which means admins can't assign a role that involves creating or editing events.

In order to make the role change above work, you need a cluster admin to assign the role for you (which doesn't scale well), or have cluster admins edit the default admin role to allow for event creation.

Given this, I'd like to change this to request that openshift-acme not log the event creation error when its in a single namespace deployment, and to document the lack of single namespace events.

[tnozicka]

From top of my head I don't see a reason why the project admin doesn't have permission to create namespace level events, might worth to poke the default permissions first with kube/openshift.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[tnozicka]

/remove-lifecycle stale
/lifecycle frozen

[bzed]

@tnozicka any news about that? I can confirm the bug.

[seandilda]

I looked into this a few months ago. IIRC, the upstream kubernetes code does not include creating/editing events in the default admin role, which has the side effect of not allowing users with the admin role to grant that access to another user.

[tnozicka]

This is just cosmetic for the single namespace deployment, as @seandilda investigated there is no fix to allow emitting those events, without privilege escalation. It doesn't affect route handling, just an error in the logs. Nice to fix, but not high prio though.