Bug 1435132
| Summary: | [yHlzD0NV] RoleBindingRestriction object is not deleted after namespace is deleted | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Chuan Yu <chuyu> |
| Component: | apiserver-auth | Assignee: | Mo <mkhan> |
| Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.5.0 | CC: | aos-bugs, haowang, jliggitt, mfojtik, mmasters, pweil, tdawson, trankin, xtian |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Origin's namespace finalizer did not delete RoleBindingRestriction before namespace deletion.
Consequence: Orphaned RoleBindingRestrictions were left in etcd and could cause issues if the openshift.io/RestrictSubjectBindings admission plugin was enabled.
Fix: Delete RoleBindingRestriction before namespace finalization.
Result: RoleBindingRestrictions are deleted when a namespace is deleted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-12 19:14:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
need to be added to https://github.com/openshift/origin/blob/master/pkg/project/controller/controller.go#L55 Also need a test to ensure content is removed Also need a test to iterate over all registered origin resources to ensure this doesn't reoccur This also will cause the project with same name cannot be created again with error: $ oc new-project test Error from server (InternalError): Internal error occurred: rolebindings "system:image-pullers" is forbidden: rolebindings to SystemGroup "system:serviceaccounts:test" are not allowed in project "test" Miciah, are you working on this? Seems like something PM team should be addressing :-) As there no new 3.5 puddle available, set the status to modified first. Verified with 3.5.5.2, # openshift version openshift v3.5.5.2 kubernetes v1.5.2+43a9be4 etcd 3.1.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Description of problem: RoleBindingRestriction not being deleted when namespaces are removed Version-Release number of selected component (if applicable): # openshift version openshift v3.5.0.55 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: always Steps to Reproduce: 1.create rolebindingrestriction by cluster-admin, oc create -f -<<EOF -n test apiVersion: v1 kind: RoleBindingRestriction metadata: name: match-groups spec: grouprestriction: groups: ["groups-rolebindingrestriction"] EOF 2.Delete the namespace 'test' by cluster-admin or project admin 3. Actual results: When the namespaces are removed, the RoleBindingRestriction not being deleted. oc get rolebindingrestriction --all-namespaces NAMESPACE NAME SUBJECT TYPE SUBJECTS match-groups Group groups-rolebindingrestriction Expected results: When the namespaces are removed, the RoleBindingRestriction should be deleted also. Additional info: