|Summary:||[yHlzD0NV] RoleBindingRestriction object is not deleted after namespace is deleted|
|Product:||OpenShift Container Platform||Reporter:||Chuan Yu <chuyu>|
|Status:||CLOSED ERRATA||QA Contact:||Chuan Yu <chuyu>|
|Version:||3.5.0||CC:||aos-bugs, haowang, jliggitt, mfojtik, mmasters, pweil, tdawson, trankin, xtian|
|Fixed In Version:||Doc Type:||Bug Fix|
Cause: Origin's namespace finalizer did not delete RoleBindingRestriction before namespace deletion. Consequence: Orphaned RoleBindingRestrictions were left in etcd and could cause issues if the openshift.io/RestrictSubjectBindings admission plugin was enabled. Fix: Delete RoleBindingRestriction before namespace finalization. Result: RoleBindingRestrictions are deleted when a namespace is deleted.
|Last Closed:||2017-04-12 19:14:58 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Chuan Yu 2017-03-23 08:58:54 UTC
Description of problem: RoleBindingRestriction not being deleted when namespaces are removed Version-Release number of selected component (if applicable): # openshift version openshift v184.108.40.206 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: always Steps to Reproduce: 1.create rolebindingrestriction by cluster-admin, oc create -f -<<EOF -n test apiVersion: v1 kind: RoleBindingRestriction metadata: name: match-groups spec: grouprestriction: groups: ["groups-rolebindingrestriction"] EOF 2.Delete the namespace 'test' by cluster-admin or project admin 3. Actual results: When the namespaces are removed, the RoleBindingRestriction not being deleted. oc get rolebindingrestriction --all-namespaces NAMESPACE NAME SUBJECT TYPE SUBJECTS match-groups Group groups-rolebindingrestriction Expected results: When the namespaces are removed, the RoleBindingRestriction should be deleted also. Additional info:
Comment 1 Jordan Liggitt 2017-03-23 14:20:09 UTC
need to be added to https://github.com/openshift/origin/blob/master/pkg/project/controller/controller.go#L55 Also need a test to ensure content is removed Also need a test to iterate over all registered origin resources to ensure this doesn't reoccur
Comment 2 Wang Haoran 2017-03-24 02:59:40 UTC
This also will cause the project with same name cannot be created again with error: $ oc new-project test Error from server (InternalError): Internal error occurred: rolebindings "system:image-pullers" is forbidden: rolebindings to SystemGroup "system:serviceaccounts:test" are not allowed in project "test"
Comment 3 Michal Fojtik 2017-03-24 10:01:32 UTC
Miciah, are you working on this? Seems like something PM team should be addressing :-)
Comment 10 Chuan Yu 2017-03-31 09:06:33 UTC
As there no new 3.5 puddle available, set the status to modified first.
Comment 12 Chuan Yu 2017-04-06 08:02:38 UTC
Verified with 220.127.116.11, # openshift version openshift v18.104.22.168 kubernetes v1.5.2+43a9be4 etcd 3.1.0
Comment 14 errata-xmlrpc 2017-04-12 19:14:58 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884