Bug 1381611
| Summary: | oadm diagnostics shows extra permissions as a warning not an info | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Eric Jones <erjones> |
| Component: | oc | Assignee: | Luke Meyer <lmeyer> |
| Status: | CLOSED ERRATA | QA Contact: | Xia Zhao <xiazhao> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 3.3.0 | CC: | aos-bugs, jliggitt, jokerman, mmccomas, tdawson, xiazhao |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-12 19:07:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
the "extra permissions" messages should be at info level, and include the --additive-only=false flag in the recommended command to run (though they should also note that they should ensure they don't need the extra permissions before they remove them) Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/ebceafede31cbec87caabe93be0b9ee6e72e7062 diagnostics: make cluster role warning info, modify text bug 1381611 https://bugzilla.redhat.com/show_bug.cgi?id=1381611 This commit was merged into the origin 1.5 code, marking this as 3.5.0 target. This has been merged into ocp and is in OCP v3.5.0.7 or newer. Verified on
# openshift version
openshift v3.5.0.7+390ef18
kubernetes v1.5.2+43a9be4
etcd 3.1.0-rc.0
it's fixed:
[Note] Running diagnostic: ClusterRoleBindings
Description: Check that the default ClusterRoleBindings are present and contain the expected subjects
Info: clusterrolebinding/cluster-readers has more subjects than expected.
Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.
Info: clusterrolebinding/cluster-readers has extra subject {ServiceAccount management-infra management-admin }.
Info: clusterrolebinding/self-provisioners has more subjects than expected.
Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.
Info: clusterrolebinding/self-provisioners has extra subject {ServiceAccount management-infra management-admin }.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Description of problem: `oadm diagnostics` includes a specific warning [0] that indicates there are "extra permissions" on certain roles. This should likely be an information message, rather than a warning, as there is not anything necessarily bad about the extra permissions (might be there due to changes in the permissions of roles in the upgrades 3.2 vs 3.3) [0] WARN: [CRD1003 from diagnostic ClusterRoles@openshift/origin/pkg/diagnostics/cluster/roles.go:82] clusterrole/system:deployment-controller has changed, but the existing role has more permissions than the new role. Use the `oadm policy reconcile-cluster-roles` command to update the role to reduce permissions. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["update"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["create"], APIGroups:[""], Resources:["pods"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["delete"], APIGroups:[""], Resources:["pods"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["update"], APIGroups:[""], Resources:["pods"]}.