Merge pull request #9066 from deads2k/let-builder-make-image-streams

Merged by openshift-bot

Author: OpenShift Bot

pkg/cmd/server/bootstrappolicy/policy.go

@@ -372,6 +372,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 			Rules: []authorizationapi.PolicyRule{
 				// push and pull images
 				authorizationapi.NewRule("get", "update").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
+				// allow auto-provisioning when pushing an image that doesn't have an imagestream yet
+				authorizationapi.NewRule("create").Groups(imageGroup).Resources("imagestreams").RuleOrDie(),
 				authorizationapi.NewRule("update").Groups(buildGroup).Resources("builds/details").RuleOrDie(),
 			},
 		},

test/end-to-end/core.sh

@@ -338,6 +338,8 @@ os::cmd::try_until_text 'oc get events -n node-selector' 'pod-with-node-name.+No
 
 # Image pruning
 echo "[INFO] Validating image pruning"
+# builder service account should have the power to create new image streams: prune in this case
+os::cmd::expect_success "docker login -u e2e-user -p $(oc sa get-token builder -n cache) -e [email protected] ${DOCKER_REGISTRY}"
 os::cmd::expect_success 'docker pull busybox'
 os::cmd::expect_success 'docker pull gcr.io/google_containers/pause'
 os::cmd::expect_success 'docker pull openshift/hello-openshift'

test/fixtures/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -1221,6 +1221,13 @@ items:
     verbs:
     - get
     - update
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - imagestreams
+    verbs:
+    - create
   - apiGroups:
     - ""
     attributeRestrictions: null