Bug 1570139

Summary: Every oc new-project gets an error message that rolebindings system:image-puller, system:image-builders and system:deployers already exists
Product: OpenShift Container Platform Reporter: Mike Fiedler <mifiedle>
Component: apiserver-authAssignee: David Eads <deads>
Status: CLOSED ERRATA QA Contact: Mike Fiedler <mifiedle>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, deads, jialiu, jliggitt, jokerman, mkhan, mmccomas, xtian
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:13:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Fiedler 2018-04-20 17:25:50 UTC
Description of problem:

Every oc new-project gets an E level error that 3 system rolebindings already exist

E0420 17:20:46.971349       1 defaultrolebindings.go:182] project0 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.055495       1 vnids.go:114] Allocated netid 6325719 for namespace "project1"                                                 
E0420 17:20:47.229087       1 defaultrolebindings.go:182] project1 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.345691       1 vnids.go:114] Allocated netid 12903804 for namespace "project2"                                                
E0420 17:20:47.531643       1 defaultrolebindings.go:182] project2 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.659897       1 vnids.go:114] Allocated netid 11566576 for namespace "project3"                                                
E0420 17:20:47.848781       1 defaultrolebindings.go:182] project3 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.955052       1 vnids.go:114] Allocated netid 12280207 for namespace "project4"                                                
E0420 17:20:48.127354       1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]



Version-Release number of selected component (if applicable): 3.10-0.22.0


How reproducible: Always on oc new-project


Steps to Reproduce:
1.  Setup a cluster (mine was HA on AWS:  3 master/etcd, 2 infra, 3 computes)
2.  Watch the master-controller logs while doing oc new-project


Actual results:

E0420 17:20:48.127354       1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]

Expected results:

No errors for normal project creation

Additional info:

Comment 1 Mike Fiedler 2018-04-20 17:27:12 UTC
Starting with component=security.  Not sure if it belongs elsewhere like CLI.

Comment 2 Simo Sorce 2018-04-20 18:27:28 UTC
David,
seem like this is another fallout of your controller Pr in this area.
What should we do ?

Comment 3 David Eads 2018-04-20 18:39:34 UTC
I would suppress the error like this: https://github.com/openshift/origin/pull/19455.

Comment 4 Mo 2018-04-23 14:42:10 UTC
PR is merged.

Comment 5 Mike Fiedler 2018-05-07 19:50:25 UTC
Verified on 3.10.0-0.33.0.  No error messages present for project creation.

Comment 7 errata-xmlrpc 2018-07-30 19:13:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816