oc import-image attempts to watch all imagestream of namespace after an import

[AlbertoPeon]

Version

$ oc version
oc v1.4.1+3f9807a
kubernetes v1.4.0+776c994
features: Basic-Auth

Problem description

We have a set of images that we build outside of OpenShift, push to an external Docker registry and then we import them to OpenShif with oc import-image.

For that, a lightweight serviceaccount is provisioned and assigned the following role:

apiVersion: v1
kind: Role
metadata:
 ....
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resourceNames:
  - image_name
  resources:
  - imagestreams
  - imagestreams/layers
  verbs:
  - create
  - delete
  - edit
  - get
  - list
  - update
  - watch

As you can see, we only allow to modify resources with name 'image_name'

However, when running oc import-image:

$ oc import-image $image:$tag -n openshift --token $token
Importing (ctrl+c to stop waiting) ...
error: unable to determine if the import completed successfully - please run 'oc describe -n openshift imagestream/image' to see if the tags were updated as expected: User "system:serviceaccount:openshift:sa" cannot watch imagestreams in project "openshift"

The import actually succeeds but the command fails (returns != 0 status code) trying to display the imported images. It seems that the command tries to watch all the imagestreams in the namespace?

As a workaround, I can add an extra rule to the role defined above like:

  - apiGroups:
    - ""
    attributeRestrictions: null
    resources:
    - imagestreams
    verbs:
    - watch

However, it will be more convenient if this permission wasn't required to just import images.

[bparees]

@AlbertoPeon is the issue that you need to add the watch verb, or that you can't restrict the role to just resources with a specific name?

and in your example command:
oc import-image $image:$tag -n openshift --token $token

is the value of $image literally image_name?

[AlbertoPeon]

@bparees the second one, the service account needs to watch all imagestreams in the namespace instead of only the one limited by resourcesNames: $image_name.

It is really not a big deal, just a bit annoying to have to add that role.

WRT your second question, yes, it would be :

oc import-image image_name:$tag -n openshift --token $token
Importing (ctrl+c to stop waiting) ...
error: unable to determine if the import completed successfully - please run 'oc describe -n openshift imagestream/image_name' to see if the tags were updated as expected: User "system:serviceaccount:openshift:sa" cannot watch imagestreams in project "openshift"

[bparees]

@deads2k @soltysh @mfojtik is there a technical limitation that forces the service account to be granted permission to watch all imagestream resources in order to accomplish this, or is it actually something we can reasonably fix?

[soltysh]

We already watch IS by name, but unfortunately watch are limited and that they don't work with limited privs. We'd have to change that watch call to poll on a get.

[bparees]

Hm. Polling doesn't seem unreasonable in this case, thanks.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[bparees]

/remove-lifecycle stale
/lifecycle frozen