nate-ac commented on issue #6987: URL: https://github.com/apache/cloudstack/issues/6987#issuecomment-1372894386
A little more RCA here: When a project is created a "PrjAcct-" account is also created and given ownership to the project. This account is created with the "RO Admin" role. https://github.com/apache/cloudstack/blob/20306d612928712e5354bad57691b5fe4e1f59a9/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java#L266 ``` //Create an account associated with the project StringBuilder acctNm = new StringBuilder("PrjAcct-"); acctNm.append(name).append("-").append(ownerFinal.getDomainId()); Account projectAccount = _accountMgr.createAccount(acctNm.toString(), Account.Type.PROJECT, null, domainId, null, null, UUID.randomUUID().toString()); Project project = _projectDao.persist(new ProjectVO(name, displayText, ownerFinal.getDomainId(), projectAccount.getId())); //assign owner to the project assignAccountToProject(project, ownerFinal.getId(), ProjectAccount.Role.Admin, Optional.ofNullable(finalUser).map(User::getId).orElse(null), null); if (project != null) { CallContext.current().setEventDetails("Project id=" + project.getId()); CallContext.current().putContextParameter(Project.class, project.getUuid()); } ``` Then, a subsequent account is created then added to the project and set as "Domain Admin". Within the account is the kubeadmin user. This user makes API calls to setup the nginx ingress controller like shown above. The API call results in an empty response. Changing the "PrjAcct-" role from "RO Admin" to "Domain Admin" somehow allows the kubeadmin user the access it needs to "see" the resources and interact with them. So there seems to be something wrong with project accounts accessing the resources that are owned by the "PriAcct-" RO Admin account or the account is being created with insufficient access. Things we noted while troubleshooting: - All resources created in the project are owned by the "PrjAcct-" account - The "PriAcct-" account has type = 5 (RO Admin) and role_id = NULL in cloud.account - API calls the kubeadm user made during nginx ingress install & delete: ``` assignToLoadBalancerRule associateIpAddress deleteFirewallRule deleteLoadBalancerRule disassociateIpAddress listFirewallRules listLoadBalancerRules listNetworks listVirtualMachines queryAsyncJobResult ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
