problem in accessing amq-broker pod : Ensure service account has view privileges.

[yeganx]

hi
i add all templates as the instruction , but add to my project amq-basic
I use clusterd openshift ,and saw this instruction: https://access.redhat.com/documentation/en/red-hat-xpaas/0/single/red-hat-xpaas-a-mq-image/ and add
$oc new-project amq-demo
$echo '{"kind": "ServiceAccount", "apiVersion": "v1", "metadata": {"name": "amq-service-account"}}' | oc create -f -
$ oc policy add-role-to-user view system:serviceaccount:amq-demo:amq-service-account
but can'nt solve my problem .
$oc get pods
NAME READY STATUS RESTARTS AGE
broker-amq-2-lnsik 1/1 Running 0 11m

$oc logs broker-amq-2-lnsik
WARNING: Service account has insufficient permissions to view endpoints in kubernetes (HTTP 403). Mesh will be unavailable. Please refer to the documentation for configuration.
Running jboss-amq-6/amq62-openshift image, version 1.3-8
INFO: Loading '/opt/amq/bin/env'
INFO: Using java '/usr/lib/jvm/java-1.8.0/bin/java'
INFO: Starting in foreground, this is just for debugging purposes (stop process by pressing CTRL+C)
Picked up JAVA_TOOL_OPTIONS: -Duser.home=/home/jboss -Duser.name=jboss
I> No access restrictor found, access to all MBean is allowed
Jolokia: Agent started with URL https://10.1.3.5:8778/jolokia/
Java Runtime: Oracle Corporation 1.8.0_111 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.el7_2.x86_64/jre
Heap sizes: current=121856k free=100836k max=1780736k
JVM args: -Duser.home=/home/jboss -Duser.name=jboss -javaagent:/opt/amq/jolokia.jar=port=8778,protocol=https,caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,clientPrincipal=cn=system:master-proxy,useSslClientAuthentication=true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djava.io.tmpdir=/opt/amq/tmp -Dactivemq.classpath=/opt/amq/conf: -Dactivemq.home=/opt/amq -Dactivemq.base=/opt/amq -Dactivemq.conf=/opt/amq/conf -Dactivemq.data=/opt/amq/data
Extensions classpath:
[/opt/amq/lib,/opt/amq/lib/camel,/opt/amq/lib/optional,/opt/amq/lib/web,/opt/amq/lib/extra]
ACTIVEMQ_HOME: /opt/amq
ACTIVEMQ_BASE: /opt/amq
ACTIVEMQ_CONF: /opt/amq/conf
ACTIVEMQ_DATA: /opt/amq/data
Loading message broker from: xbean:activemq.xml
INFO | Refreshing org.apache.activemq.xbean.XBeanBrokerFactory$1@5d5eef3d: startup date [Sun Nov 13 00:56:43 EST 2016]; root of context hierarchy
INFO | Creating Kubernetes discovery agent for kube://broker-amq-tcp:61616/?transportType=tcp.
INFO | PListStore:[/opt/amq/data/broker-amq-2-lnsik/tmp_storage] started
INFO | Using Persistence Adapter: KahaDBPersistenceAdapter[/opt/amq/data/kahadb]
INFO | Apache ActiveMQ 5.11.0.redhat-621159 (broker-amq-2-lnsik, ID:broker-amq-2-lnsik-35054-1479016606177-0:1) is starting
INFO | Listening for connections at: tcp://broker-amq-2-lnsik:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600
INFO | Connector openwire started
INFO | Starting OpenShift discovery agent for service broker-amq-tcp transport type tcp
INFO | Network Connector DiscoveryNetworkConnector:NC:BrokerService[broker-amq-2-lnsik] started
INFO | Apache ActiveMQ 5.11.0.redhat-621159 (broker-amq-2-lnsik, ID:broker-amq-2-lnsik-35054-1479016606177-0:1) started
INFO | For help or more information please see: http://activemq.apache.org
WARN | Store limit is 102400 mb (current store usage is 0 mb). The data directory: /opt/amq/data/kahadb only has 9683 mb of usable space - resetting to maximum available disk space: 9683 mb
WARN | Temporary Store limit is 51200 mb, whilst the temporary data directory: /opt/amq/data/broker-amq-2-lnsik/tmp_storage only has 9683 mb of usable space - resetting to maximum available 9683 mb.
ERROR | Authentication failed for [https://172.30.0.1:443/api/v1/namespaces/amq-demo/endpoints/broker-amq-tcp]. Ensure service account has view privileges.
$oc get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
broker-amq-amqp 172.30.58.185 5672/TCP 17m
broker-amq-mqtt 172.30.52.213 1883/TCP 17m
broker-amq-stomp 172.30.157.177 61613/TCP 17m
broker-amq-tcp 172.30.15.102 61616/TCP 17m

172.30.0.1 kubernets service
$oc project default
$oc get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
docker-registry 172.30.24.154 5000/TCP 18d
kubernetes 172.30.0.1 443/TCP,53/UDP,53/TCP 21d
router 172.30.223.78 80/TCP,443/TCP,19

[rcernich]

Did you associate amq-service-account with the deployment? The view role needs to be added to the service account referenced by the deployment, which is "default" by default.